From 00981be8dc35d1a3cf1b1b37e66abb498d603e84 Mon Sep 17 00:00:00 2001 From: Wikid82 Date: Wed, 19 Nov 2025 19:59:45 -0500 Subject: [PATCH] fix: CI workflow shell injection vulnerability - Use environment variables for GitHub context in shell scripts to prevent injection attacks and syntax errors when commit messages contain special characters (e.g. single quotes, ampersands). - Fixes failure when merging branches with special characters in their names. --- .github/workflows/docker-build.yml | 17 +++++++++-------- .github/workflows/docker-publish.yml | 15 ++++++++------- 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 21e4c4ff..e31baa5e 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -34,23 +34,24 @@ jobs: - name: 🧪 Determine skip condition id: skip + env: + ACTOR: ${{ github.actor }} + EVENT: ${{ github.event_name }} + HEAD_MSG: ${{ github.event.head_commit.message }} run: | should_skip=false - actor='${{ github.actor }}' - event='${{ github.event_name }}' - head_msg='${{ github.event.head_commit.message }}' pr_title="" - if [ "$event" = "pull_request" ]; then + if [ "$EVENT" = "pull_request" ]; then pr_title=$(jq -r '.pull_request.title' "$GITHUB_EVENT_PATH" 2>/dev/null || echo '') fi - if [ "$actor" = "renovate[bot]" ]; then should_skip=true; fi - if echo "$head_msg" | grep -Ei '^chore\(deps' >/dev/null 2>&1; then should_skip=true; fi - if echo "$head_msg" | grep -Ei '^chore:' >/dev/null 2>&1; then should_skip=true; fi + if [ "$ACTOR" = "renovate[bot]" ]; then should_skip=true; fi + if echo "$HEAD_MSG" | grep -Ei '^chore\(deps' >/dev/null 2>&1; then should_skip=true; fi + if echo "$HEAD_MSG" | grep -Ei '^chore:' >/dev/null 2>&1; then should_skip=true; fi if echo "$pr_title" | grep -Ei '^chore\(deps' >/dev/null 2>&1; then should_skip=true; fi if echo "$pr_title" | grep -Ei '^chore:' >/dev/null 2>&1; then should_skip=true; fi echo "skip_build=$should_skip" >> $GITHUB_OUTPUT if [ "$should_skip" = true ]; then - echo "Skipping heavy docker build for actor=$actor event=$event (message/title matched)" + echo "Skipping heavy docker build for actor=$ACTOR event=$EVENT (message/title matched)" else echo "Proceeding with full docker build" fi diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index f29fbff8..82b4e969 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -32,18 +32,19 @@ jobs: - name: Determine skip condition id: skip + env: + ACTOR: ${{ github.actor }} + EVENT: ${{ github.event_name }} + HEAD_MSG: ${{ github.event.head_commit.message }} run: | should_skip=false - actor='${{ github.actor }}' - event='${{ github.event_name }}' - head_msg='${{ github.event.head_commit.message }}' pr_title="" - if [ "$event" = "pull_request" ]; then + if [ "$EVENT" = "pull_request" ]; then pr_title=$(jq -r '.pull_request.title' "$GITHUB_EVENT_PATH" 2>/dev/null || echo '') fi - if [ "$actor" = "renovate[bot]" ]; then should_skip=true; fi - if echo "$head_msg" | grep -Ei '^chore\(deps' >/dev/null 2>&1; then should_skip=true; fi - if echo "$head_msg" | grep -Ei '^chore:' >/dev/null 2>&1; then should_skip=true; fi + if [ "$ACTOR" = "renovate[bot]" ]; then should_skip=true; fi + if echo "$HEAD_MSG" | grep -Ei '^chore\(deps' >/dev/null 2>&1; then should_skip=true; fi + if echo "$HEAD_MSG" | grep -Ei '^chore:' >/dev/null 2>&1; then should_skip=true; fi if echo "$pr_title" | grep -Ei '^chore\(deps' >/dev/null 2>&1; then should_skip=true; fi if echo "$pr_title" | grep -Ei '^chore:' >/dev/null 2>&1; then should_skip=true; fi echo "skip_build=$should_skip" >> $GITHUB_OUTPUT