Skip to content

fix(infra): harden pydantic test workflow against command injection #33446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

fix(infra): harden pydantic test workflow against command injection #33446

wants to merge 3 commits into from
+3 −1

Conversation

ColeMurray
Copy link
Contributor

@ColeMurray ColeMurray commented Oct 12, 2025
edited
Loading

Move the pydantic-version input into an environment variable instead of directly interpolating it into the bash command, following GitHub Actions security best practices.

While this workflow is only callable by maintainers (limiting practical risk), using environment variables for inputs is the recommended security pattern and helps prevent potential issues if the workflow structure changes in the future.

@ColeMurray
fix(ci): harden pydantic test workflow against command injection
603a6e0 
Move the pydantic-version input into an environment variable instead of
directly interpolating it into the bash command, following GitHub Actions
security best practices.

While this workflow is only callable by maintainers (limiting practical
risk), using environment variables for inputs is the recommended security
pattern and helps prevent potential issues if the workflow structure
changes in the future.
@github-actions github-actions bot added infra Chores, devops, repo meta changes github_actions Pull requests that update GitHub Actions code fix labels Oct 12, 2025
@ColeMurray ColeMurray changed the title fix(ci): harden pydantic test workflow against command injection fix(infra): harden pydantic test workflow against command injection Oct 12, 2025
@github-actions github-actions bot added fix and removed fix infra Chores, devops, repo meta changes labels Oct 12, 2025
@github-actions github-actions bot added infra Chores, devops, repo meta changes fix and removed fix infra Chores, devops, repo meta changes labels Oct 12, 2025
@eyurtsev eyurtsev enabled auto-merge (squash) October 13, 2025 19:30
@github-actions github-actions bot added the infra Chores, devops, repo meta changes label Oct 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eyurtsev eyurtsev eyurtsev approved these changes

@baskaryan baskaryan Awaiting requested review from baskaryan baskaryan is a code owner

@ccurme ccurme Awaiting requested review from ccurme ccurme is a code owner

Assignees

No one assigned

Labels

fix github_actions Pull requests that update GitHub Actions code infra Chores, devops, repo meta changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ColeMurray @eyurtsev