From 05ca7551743b936656033352be0d796cf56e5c0c Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Mon, 16 Dec 2024 23:40:25 +0100 Subject: [PATCH] GHA: silence zizmor warnings [ci skip] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Thanks @woodruffw! One of these for each job: ``` error[template-injection]: code injection via template expansion --> .github/workflows/build.yml:67:9 | 67 | - name: 'build' | ^^^^^^^^^^^^^ this step 68 | / run: | 69 | | export CW_CONFIG='awslc-${{ github.ref_name }}-linux-a64-r64-x64' ... | 78 | | "${DOCKER_IMAGE}" \ 79 | | sh -c ./_ci-linux-debian.sh | |_______________________________________^ github.ref_name may expand into attacker-controllable code | = note: audit confidence → High ``` For this project none posed a security issue, because we limit runs to branches `main`, `dev` and `test`. --- .github/workflows/build.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f1b890e80..43bdabfd4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -73,7 +73,7 @@ jobs: fetch-depth: '300' - name: 'build' run: | - export CW_CONFIG='${{ github.ref_name }}-linux-a64-x64' + export CW_CONFIG="${GITHUB_REF_NAME}-linux-a64-x64" export CW_REVISION='${{ github.sha }}' . ./_versions.sh docker trust inspect --pretty "${DOCKER_IMAGE}" @@ -105,7 +105,7 @@ jobs: fetch-depth: '300' - name: 'build' run: | - export CW_CONFIG='${{ github.ref_name }}-linux-a64-r64-x64-gcc' + export CW_CONFIG="${GITHUB_REF_NAME}-linux-a64-r64-x64-gcc" export CW_REVISION='${{ github.sha }}' . ./_versions.sh export CW_GCCSUFFIX='-14' @@ -138,7 +138,7 @@ jobs: fetch-depth: '300' - name: 'build' run: | - export CW_CONFIG='${{ github.ref_name }}-linux' + export CW_CONFIG="${GITHUB_REF_NAME}-linux" export CW_REVISION='${{ github.sha }}' DOCKER_IMAGE='debian:bookworm-slim' DOCKER_CONTENT_TRUST=1 @@ -173,7 +173,7 @@ jobs: fetch-depth: '300' - name: 'build' run: | - export CW_CONFIG='${{ github.ref_name }}-linux-gcc' + export CW_CONFIG="${GITHUB_REF_NAME}-linux-gcc" export CW_REVISION='${{ github.sha }}' DOCKER_IMAGE='debian:bookworm-slim' DOCKER_CONTENT_TRUST=1 @@ -208,7 +208,7 @@ jobs: fetch-depth: '300' - name: 'build' run: | - export CW_CONFIG='${{ github.ref_name }}-linux-a64-r64-x64-musl' + export CW_CONFIG="${GITHUB_REF_NAME}-linux-a64-r64-x64-musl" export CW_REVISION='${{ github.sha }}' . ./_versions.sh docker trust inspect --pretty "${DOCKER_IMAGE}" @@ -240,7 +240,7 @@ jobs: fetch-depth: '300' - name: 'build' run: | - export CW_CONFIG='${{ github.ref_name }}-linux-a64-r64-x64-musl-gcc' + export CW_CONFIG="${GITHUB_REF_NAME}-linux-a64-r64-x64-musl-gcc" export CW_REVISION='${{ github.sha }}' . ./_versions.sh docker trust inspect --pretty "${DOCKER_IMAGE}" @@ -272,7 +272,7 @@ jobs: fetch-depth: '300' - name: 'build' run: | - export CW_CONFIG='${{ github.ref_name }}-linux-musl' + export CW_CONFIG="${GITHUB_REF_NAME}-linux-musl" export CW_REVISION='${{ github.sha }}' DOCKER_IMAGE='debian:bookworm-slim' DOCKER_CONTENT_TRUST=1 @@ -307,7 +307,7 @@ jobs: fetch-depth: '300' - name: 'build' run: | - export CW_CONFIG='${{ github.ref_name }}-linux-musl-gcc' + export CW_CONFIG="${GITHUB_REF_NAME}-linux-musl-gcc" export CW_REVISION='${{ github.sha }}' DOCKER_IMAGE='debian:bookworm-slim' DOCKER_CONTENT_TRUST=1 @@ -342,7 +342,7 @@ jobs: fetch-depth: '300' - name: 'build' run: | - export CW_CONFIG='${{ github.ref_name }}-linux' + export CW_CONFIG="${GITHUB_REF_NAME}-linux" export CW_REVISION='${{ github.sha }}' DOCKER_IMAGE='alpine:latest' DOCKER_CONTENT_TRUST=1 @@ -375,7 +375,7 @@ jobs: fetch-depth: '300' - name: 'build' run: | - export CW_CONFIG='${{ github.ref_name }}-linux-gcc' + export CW_CONFIG="${GITHUB_REF_NAME}-linux-gcc" export CW_REVISION='${{ github.sha }}' DOCKER_IMAGE='alpine:latest' DOCKER_CONTENT_TRUST=1 @@ -410,7 +410,7 @@ jobs: env: GITHUB_TOKEN: '${{ github.token }}' run: | - export CW_CONFIG='${{ github.ref_name }}-linux' + export CW_CONFIG="${GITHUB_REF_NAME}-linux" export CW_REVISION='${{ github.sha }}' sh -c ./_ci-mac-homebrew.sh @@ -438,7 +438,7 @@ jobs: env: GITHUB_TOKEN: '${{ github.token }}' run: | - export CW_CONFIG='${{ github.ref_name }}-mac-macuni' + export CW_CONFIG="${GITHUB_REF_NAME}-mac-macuni" export CW_REVISION='${{ github.sha }}' sh -c ./_ci-mac-homebrew.sh @@ -466,7 +466,7 @@ jobs: env: GITHUB_TOKEN: '${{ github.token }}' run: | - export CW_CONFIG='${{ github.ref_name }}-mac-macuni-llvm' + export CW_CONFIG="${GITHUB_REF_NAME}-mac-macuni-llvm" export CW_REVISION='${{ github.sha }}' sh -c ./_ci-mac-homebrew.sh @@ -495,7 +495,7 @@ jobs: GITHUB_TOKEN: '${{ github.token }}' run: | export CW_CCSUFFIX='-14' - export CW_CONFIG='${{ github.ref_name }}-mac-gcc-a64' + export CW_CONFIG="${GITHUB_REF_NAME}-mac-gcc-a64" export CW_REVISION='${{ github.sha }}' sh -c ./_ci-mac-homebrew.sh @@ -524,7 +524,7 @@ jobs: CW_LLVM_MINGW_DL: '1' CW_LLVM_MINGW_ONLY: '0' run: | - export CW_CONFIG='${{ github.ref_name }}-win' + export CW_CONFIG="${GITHUB_REF_NAME}-win" export CW_REVISION='${{ github.sha }}' . ./_versions.sh sh -c ./_ci-mac-homebrew.sh @@ -552,7 +552,7 @@ jobs: CW_LLVM_MINGW_DL: '1' CW_LLVM_MINGW_ONLY: '0' run: | - export CW_CONFIG='${{ github.ref_name }}-win' + export CW_CONFIG="${GITHUB_REF_NAME}-win" export CW_REVISION='${{ github.sha }}' . ./_versions.sh docker trust inspect --pretty "${DOCKER_IMAGE}" @@ -587,7 +587,7 @@ jobs: CW_LLVM_MINGW_DL: '1' CW_LLVM_MINGW_ONLY: '0' run: | - export CW_CONFIG='${{ github.ref_name }}-win-gcc' + export CW_CONFIG="${GITHUB_REF_NAME}-win-gcc" export CW_REVISION='${{ github.sha }}' . ./_versions.sh docker trust inspect --pretty "${DOCKER_IMAGE}"