From 9151ac27638e4491628d5bbb51643abc6bcd5f54 Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Wed, 11 Sep 2024 12:35:51 -0300 Subject: [PATCH] fix: github workflow vulnerable to script injection (#2663) * inline repo's full_name as env var Signed-off-by: Diogo Teles Sant'Anna Co-authored-by: Diego Marquez --- .../workflows/hermetic_library_generation.yaml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index cc49d69ff4..8b1779de53 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -19,10 +19,14 @@ on: paths: - 'generation_config.yaml' + +env: + HEAD_REF: ${{ github.head_ref }} + REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} + GITHUB_REPOSITORY: ${{ github.repository }} + jobs: library_generation: - # skip pull requests coming from a forked repository - if: github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -32,11 +36,15 @@ jobs: - name: Generate changed libraries shell: bash run: | - set -x + set -ex + if [[ "${GITHUB_REPOSITORY}" != "${REPO_FULL_NAME}" ]]; then + echo "This PR comes from a fork. Generation will be skipped" + exit 0 + fi [ -z "$(git config user.email)" ] && git config --global user.email "cloud-java-bot@google.com" [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot" bash .github/scripts/hermetic_library_generation.sh \ --target_branch ${{ github.base_ref }} \ - --current_branch ${{ github.head_ref }} + --current_branch $HEAD_REF env: GH_TOKEN: ${{ secrets.CLOUD_JAVA_BOT_TOKEN }}