Skip to content

Fix potential vulnerability in CI workflow #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Fix potential vulnerability in CI workflow #2

wants to merge 2 commits into from

Conversation

jwallwork23
Copy link
Collaborator

Supersedes #1.

As noted in geoschem#86, without the edits to the cloud benchmarking workflow in this PR, the zizmor GitHub Actions static analysis tool reports:

error[template-injection]: code injection via template expansion
  --> /home/joe/software/GCClassic/.github/workflows/cloud-benchmarking-workflow.yml:45:9
   |
45 |         - name: Reset Initial Variables for pull request
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
46 | /         run: |
47 | |           echo "GITHUB_SHA_SHORT=`echo ${{ github.event.pull_request.head.sha }} | cut -c1-7`" >> $GITHUB_ENV
48 | |           echo "COMMIT_NAME=`echo ${{ github.event.pull_request.head.sha }} | cut -c1-7`" >> $GITHUB_ENV
   | |________________________________________________________________________________________________________^ github.event.pull_request.head.sha may expand into attacker-controllable code
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> /home/joe/software/GCClassic/.github/workflows/cloud-benchmarking-workflow.yml:45:9
   |
45 |         - name: Reset Initial Variables for pull request
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
46 | /         run: |
47 | |           echo "GITHUB_SHA_SHORT=`echo ${{ github.event.pull_request.head.sha }} | cut -c1-7`" >> $GITHUB_ENV
48 | |           echo "COMMIT_NAME=`echo ${{ github.event.pull_request.head.sha }} | cut -c1-7`" >> $GITHUB_ENV
   | |________________________________________________________________________________________________________^ github.event.pull_request.head.sha may expand into attacker-controllable code
   |
   = note: audit confidence → High

@jwallwork23 jwallwork23 added the bug Something isn't working label Mar 31, 2025
@jwallwork23 jwallwork23 self-assigned this Mar 31, 2025
@jwallwork23 jwallwork23 requested a review from ltmurray March 31, 2025 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ltmurray ltmurray Awaiting requested review from ltmurray

Assignees

@jwallwork23 jwallwork23

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jwallwork23