Befator-Inc-Firmen-Netzwerk/msys2-autobuild
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 10 Wiki Activity

Don't use workflow inputs directly in scripts

Browse Source 
They could inject commands that way. Instead assign them
to an env var and then use that env var in the powershell scripts.

We want to open those controls up to more people, so we need to make
sure they can only change the values and not extract tokens etc.

Fixes #60
This commit is contained in:
Christoph Reiter 2022-08-21 20:37:07 +02:00
parent 9374b1d9b4
commit 0d4680c01f
2 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/build.yml vendored
View File

@ -53,8 +53,9 @@ jobs:
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN_READONLY: ${{ secrets.GITHUBTOKENREADONLY }} GITHUB_TOKEN_READONLY: ${{ secrets.GITHUBTOKENREADONLY }}
OPTIONAL_DEPS: ${{ github.event.inputs.optional_deps }}
run: | run: |
python -u autobuild.py write-build-plan --optional-deps '${{ github.event.inputs.optional_deps }}' build_plan.json python -u autobuild.py write-build-plan --optional-deps "$env:OPTIONAL_DEPS" build_plan.json
buildPlan="$(cat build_plan.json)" buildPlan="$(cat build_plan.json)"
echo "::set-output name=build-plan::$buildPlan" echo "::set-output name=build-plan::$buildPlan"
@ -71,8 +72,9 @@ jobs:
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN_READONLY: ${{ secrets.GITHUBTOKENREADONLY }} GITHUB_TOKEN_READONLY: ${{ secrets.GITHUBTOKENREADONLY }}
OPTIONAL_DEPS: ${{ github.event.inputs.optional_deps }}
run: | run: |
python -u autobuild.py show --optional-deps '${{ github.event.inputs.optional_deps }}' python -u autobuild.py show --optional-deps "$env:OPTIONAL_DEPS"
build: build:
needs: schedule needs: schedule

6
.github/workflows/maint.yml vendored
View File

@ -46,8 +46,9 @@ jobs:
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN_READONLY: ${{ secrets.GITHUBTOKENREADONLY }} GITHUB_TOKEN_READONLY: ${{ secrets.GITHUBTOKENREADONLY }}
CLEAR_FAILED_BUILD_TYPES: ${{ github.event.inputs.clear_failed_build_types }}
run: | run: |
python -u autobuild.py clear-failed --build-types '${{ github.event.inputs.clear_failed_build_types }}' python -u autobuild.py clear-failed --build-types "$env:CLEAR_FAILED_BUILD_TYPES"
python -u autobuild.py update-status python -u autobuild.py update-status
- name: Clear failed packages - name: Clear failed packages
@ -55,6 +56,7 @@ jobs:
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN_READONLY: ${{ secrets.GITHUBTOKENREADONLY }} GITHUB_TOKEN_READONLY: ${{ secrets.GITHUBTOKENREADONLY }}
CLEAR_FAILED_PACKAGES: ${{ github.event.inputs.clear_failed_packages }}
run: | run: |
python -u autobuild.py clear-failed --packages '${{ github.event.inputs.clear_failed_packages }}' python -u autobuild.py clear-failed --packages "$env:CLEAR_FAILED_PACKAGES"
python -u autobuild.py update-status python -u autobuild.py update-status