Skip to content

Commit

Permalink
Avoid script injection from PR head ref in publish workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
@AlanGreene @tekton-robot
AlanGreene authored and tekton-robot committed Jan 20, 2025
1 parent 3944f5d commit 94ef989
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion .github/workflows/publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,10 +105,12 @@ jobs:
- name: Check PR is up-to-date
if: ${{ steps.checkPublishCommit.outcome == 'success' && github.event_name == 'pull_request' }}
env:
# user controls the head ref, use env var to avoid script injection similar to PR title / commit message handling above
PR_HEAD_REF: ${{github.event.pull_request.head.ref}}
GH_TOKEN: ${{ github.token }}
run: |
BASE_REF="${{github.event.pull_request.base.repo.owner.login}}:${{github.event.pull_request.base.ref}}"
HEAD_REF="${{github.event.pull_request.head.repo.owner.login}}:${{github.event.pull_request.head.ref}}"
HEAD_REF="${{github.event.pull_request.head.repo.owner.login}}:${PR_HEAD_REF}"
STATUS=$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
Expand Down

0 comments on commit 94ef989

Please sign in to comment.