Skip to content

Commit e7cc602

Browse files
FarhanAnjum-optiFarhanAnjum-opti
authored
[FSSDK-10665] fix: Github Actions YAML files vulnerable to script injections corrected (optimizely#946)
* [FSSDK-10665] fix: Github Actions YAML files vulnerable to script injections corrected * Update release.yml unnecessary assignment of default environment variable * Update release.yml renamed ALTERNATE_RELEASE_TAG to GITHUB_RELEASE_TAG
1 parent 093c3ca commit e7cc602

File tree

2 files changed

+13
-8
lines changed

2 files changed

+13
-8
lines changed

.github/workflows/integration_test.yml

+8-4
Original file line numberDiff line numberDiff line change
@@ -23,15 +23,19 @@ jobs:
2323
path: 'home/runner/travisci-tools'
2424
ref: 'master'
2525
- name: set SDK Branch if PR
26+
env:
27+
HEAD_REF: ${{ github.head_ref }}
2628
if: ${{ github.event_name == 'pull_request' }}
2729
run: |
28-
echo "SDK_BRANCH=${{ github.head_ref }}" >> $GITHUB_ENV
29-
echo "TRAVIS_BRANCH=${{ github.head_ref }}" >> $GITHUB_ENV
30+
echo "SDK_BRANCH=$HEAD_REF" >> $GITHUB_ENV
31+
echo "TRAVIS_BRANCH=$HEAD_REF" >> $GITHUB_ENV
3032
- name: set SDK Branch if not pull request
33+
env:
34+
REF_NAME: ${{ github.ref_name }}
3135
if: ${{ github.event_name != 'pull_request' }}
3236
run: |
33-
echo "SDK_BRANCH=${{ github.ref_name }}" >> $GITHUB_ENV
34-
echo "TRAVIS_BRANCH=${{ github.ref_name }}" >> $GITHUB_ENV
37+
echo "SDK_BRANCH=$REF_NAME" >> $GITHUB_ENV
38+
echo "TRAVIS_BRANCH=$REF_NAME" >> $GITHUB_ENV
3539
- name: Trigger build
3640
env:
3741
SDK: javascript

.github/workflows/release.yml

+5-4
Original file line numberDiff line numberDiff line change
@@ -32,20 +32,21 @@ jobs:
3232
echo "latest-release-tag=$(curl -qsSL \
3333
-H "Accept: application/vnd.github+json" \
3434
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
35-
"${{ github.api_url }}/repos/${{ github.repository }}/releases/latest" \
35+
"$GITHUB_API_URL/repos/$GITHUB_REPOSITORY/releases/latest" \
3636
| jq -r .tag_name)" >> $GITHUB_OUTPUT
3737
3838
- id: npm-tag
3939
name: Determine NPM tag
40+
env:
41+
GITHUB_RELEASE_TAG: ${{ github.event.release.tag_name }}
4042
run: |
4143
VERSION=$(jq -r '.version' package.json)
4244
LATEST_RELEASE_TAG="${{ steps.latest-release.outputs['latest-release-tag']}}"
43-
45+
4446
if [[ ${{ github.event_name }} == "workflow_dispatch" ]]; then
45-
GITHUB_REF=${{ github.ref }}
4647
RELEASE_TAG=${GITHUB_REF#refs/tags/}
4748
else
48-
RELEASE_TAG="${{ github.event.release.tag_name }}"
49+
RELEASE_TAG=$GITHUB_RELEASE_TAG
4950
fi
5051
5152
if [[ $RELEASE_TAG == $LATEST_RELEASE_TAG ]]; then

0 commit comments

Comments
 (0)