akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity

fix: CI workflow shell injection vulnerability

Browse Source 
- Use environment variables for GitHub context in shell scripts to prevent injection attacks and syntax errors when commit messages contain special characters (e.g. single quotes, ampersands).
- Fixes failure when merging branches with special characters in their names.
This commit is contained in:
Wikid82
2025-11-19 19:59:45 -05:00
parent 8f35d08dfa
commit 00981be8dc
2 changed files with 17 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
.github/workflows/docker-build.yml vendored
View File

@@ -34,23 +34,24 @@ jobs:
- name: 🧪 Determine skip condition
id: skip
env:
ACTOR: ${{ github.actor }}
EVENT: ${{ github.event_name }}
HEAD_MSG: ${{ github.event.head_commit.message }}
run: |
should_skip=false
actor='${{ github.actor }}'
event='${{ github.event_name }}'
head_msg='${{ github.event.head_commit.message }}'
pr_title=""
if [ "$event" = "pull_request" ]; then
if [ "$EVENT" = "pull_request" ]; then
pr_title=$(jq -r '.pull_request.title' "$GITHUB_EVENT_PATH" 2>/dev/null || echo '')
fi
if [ "$actor" = "renovate[bot]" ]; then should_skip=true; fi
if echo "$head_msg" | grep -Ei '^chore\(deps' >/dev/null 2>&1; then should_skip=true; fi
if echo "$head_msg" | grep -Ei '^chore:' >/dev/null 2>&1; then should_skip=true; fi
if [ "$ACTOR" = "renovate[bot]" ]; then should_skip=true; fi
if echo "$HEAD_MSG" | grep -Ei '^chore\(deps' >/dev/null 2>&1; then should_skip=true; fi
if echo "$HEAD_MSG" | grep -Ei '^chore:' >/dev/null 2>&1; then should_skip=true; fi
if echo "$pr_title" | grep -Ei '^chore\(deps' >/dev/null 2>&1; then should_skip=true; fi
if echo "$pr_title" | grep -Ei '^chore:' >/dev/null 2>&1; then should_skip=true; fi
echo "skip_build=$should_skip" >> $GITHUB_OUTPUT
if [ "$should_skip" = true ]; then
echo "Skipping heavy docker build for actor=$actor event=$event (message/title matched)"
echo "Skipping heavy docker build for actor=$ACTOR event=$EVENT (message/title matched)"
else
echo "Proceeding with full docker build"
fi