Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitfcebf9a

Browse files
committed
fix: prevent template injection in docs preview workflow
Use environment variables instead of direct template expansion in bashcommands to prevent potential code injection attacks through branch names.This addresses the zizmor linter check for template injection vulnerabilities.
1 parent1be9e28 commitfcebf9a

File tree

1 file changed

+7
-5
lines changed

1 file changed

+7
-5
lines changed

‎.github/workflows/docs-preview-comment.yaml‎

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -29,10 +29,13 @@ jobs:
2929

3030
-name:Get changed docs files
3131
id:changed-files
32+
env:
33+
BASE_REF:${{ github.event.pull_request.base.ref }}
34+
HEAD_REF:${{ github.event.pull_request.head.ref }}
3235
run:|
3336
# Get the list of changed files in docs/
34-
git fetch origin${{ github.event.pull_request.base.ref }}
35-
CHANGED_DOCS=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }}...HEAD | grep '^docs/' | grep '\.md$' || true)
37+
git fetch origin"$BASE_REF"
38+
CHANGED_DOCS=$(git diff --name-only"origin/$BASE_REF...HEAD" | grep '^docs/' | grep '\.md$' || true)
3639
3740
if [ -z "$CHANGED_DOCS" ]; then
3841
echo "No markdown files changed in docs/"
@@ -43,8 +46,7 @@ jobs:
4346
echo "has_changes=true" >> $GITHUB_OUTPUT
4447
4548
# URI-encode the branch name
46-
BRANCH_NAME="${{ github.event.pull_request.head.ref }}"
47-
ENCODED_BRANCH=$(echo -n "$BRANCH_NAME" | jq -sRr @uri)
49+
ENCODED_BRANCH=$(echo -n "$HEAD_REF" | jq -sRr @uri)
4850
4951
# Build the comment with preview links
5052
COMMENT="## 📚 Documentation Preview Links\n\n"
@@ -63,7 +65,7 @@ jobs:
6365
done <<< "$CHANGED_DOCS"
6466
6567
COMMENT+="\n---\n"
66-
COMMENT+="_Preview links are generated for branch: \`${BRANCH_NAME}\`_"
68+
COMMENT+="_Preview links are generated for branch: \`${HEAD_REF}\`_"
6769
6870
# Save comment to file for next step
6971
echo -e "$COMMENT" > comment.txt

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp