From 513da2cd9ce88610a7d80d2ccc7298f2a50fe0df Mon Sep 17 00:00:00 2001 From: Brandon Diaz <“BrandonLouisDiaz@gmail.com”> Date: Tue, 17 Jun 2025 12:15:28 -0400 Subject: [PATCH] Pass github context var through env variable to avoid injection attack --- .github/workflows/push-tag-create-release.yml | 8 ++++++-- .github/workflows/release-approval.yml | 4 +++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/push-tag-create-release.yml b/.github/workflows/push-tag-create-release.yml index ff438e3ffc11..0790dfb1c834 100644 --- a/.github/workflows/push-tag-create-release.yml +++ b/.github/workflows/push-tag-create-release.yml @@ -63,7 +63,9 @@ jobs: run: echo "TAG_NAME=${GITHUB_REF}" >> $GITHUB_ENV - name: Set tag name from manual input if: github.event_name == 'workflow_dispatch' - run: echo "TAG_NAME=refs/tags/${{ github.event.inputs.tag }}" >> $GITHUB_ENV + env: + TAG: ${{ github.event.inputs.tag }} + run: echo "TAG_NAME=refs/tags/$TAG" >> $GITHUB_ENV - name: Get release metadata JSON run: | @@ -90,8 +92,10 @@ jobs: git checkout ${{ github.ref }} - name: Check out tag from manual input if: github.event_name == 'workflow_dispatch' + env: + TAG: ${{ github.event.inputs.tag }} run: | - git checkout refs/tags/${{ github.event.inputs.tag }} + git checkout refs/tags/$TAG # Generate release reports - name: Create release reports (manifests) diff --git a/.github/workflows/release-approval.yml b/.github/workflows/release-approval.yml index eb90ca793148..e7d0521c8f1b 100644 --- a/.github/workflows/release-approval.yml +++ b/.github/workflows/release-approval.yml @@ -71,9 +71,11 @@ jobs: ### These steps run on workflow_dispatch event only ### - name: "workflow_dispatch: Load PR number" + env: + PR: ${{ github.event.inputs.pr }} id: workflow_dispatch_load_pr if: github.event_name == 'workflow_dispatch' - run: echo "pr_num=${{ github.event.inputs.pr }}" >> $GITHUB_OUTPUT + run: echo "pr_num=$PR" >> $GITHUB_OUTPUT - name: "workflow_dispatch: Load is_release_branch" id: workflow_dispatch_is_release_branch