Skip to content

security: replaced injected variables with environment variables #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fearphage wants to merge 1 commit into
base: main
Choose a base branch
from
Open

security: replaced injected variables with environment variables #13

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 24 additions & 16 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,16 @@ runs:
using: composite
steps:
- name: Upload coverage report
shell: bash
shell: bash -euo pipefail {0}

@fearphage fearphage Jun 15, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is false information. This works and has worked for a long time. There are hundreds of examples available:

https://github.com/search?type=code&q=%22shell%3A+bash+-euo+pipefail+%7B0%7D%22+path%3A.github%2Fworkflows

It's also in the official GH docs: https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#defaultsrunshell

env:
COMMIT_OID: >-
${{
case(
github.event_name == 'pull_request' || github.event_name == 'pull_request_target',
github.event.pull_request.head.sha,
github.sha
)
}}
Comment on lines +29 to +36

@fearphage fearphage Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update your corpus. Check the docs.

Comment on lines +29 to +36

@fearphage fearphage Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like you don't know how YAML folding works or you think that shas contain new line characters.

GH_TOKEN: ${{ inputs.token }}
INPUT_FILE: ${{ inputs.file }}
INPUT_LANGUAGE: ${{ inputs.language }}
Expand All @@ -34,38 +42,38 @@ runs:
GITHUB_EVENT_NAME: ${{ github.event_name }}
GITHUB_REPOSITORY: ${{ github.repository }}
GITHUB_API_URL: ${{ github.api_url }}
PR_NUMBER: ${{ github.event.pull_request.number }}
PULL_REQUEST_HEAD_REPO_NAME: ${{ github.event.pull_request.head.repo.full_name }}
REF: >-
${{
case(
github.event_name == 'pull_request' || github.event_name == 'pull_request_target',
'',
github.ref
)
}}
Comment on lines +47 to +54
Comment on lines +47 to +54
run: |
set -euo pipefail

export GH_HOST="${GITHUB_SERVER_URL#*://}"

@fearphage fearphage Jun 15, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't find a reference to this variable anywhere. Should this be cleaned up?

➜  upload-code-coverage git:(security/replace-injected-variables) ag --hidden GH_HOST
action.yml
56:        export GH_HOST="${GITHUB_SERVER_URL#*://}"
➜  upload-code-coverage git:(security/replace-injected-variables)


if [ "$GITHUB_EVENT_NAME" = "merge_group" ]; then
echo "::warning::Skipping coverage upload for merge queue. Configure your workflow to upload coverage for PRs and the default branch instead. To avoid spinning up a runner, add \"if: github.event_name != 'merge_group'\" to the upload job."
exit 0
fi

if [ "${{ github.event.pull_request.head.repo.full_name }}" != "" ] && \
[ "${{ github.event.pull_request.head.repo.full_name }}" != "$GITHUB_REPOSITORY" ]; then
echo "::notice::Skipping coverage upload for fork PR (from ${{ github.event.pull_request.head.repo.full_name }})"
if [ "$PULL_REQUEST_HEAD_REPO_NAME" != "" ] && \
[ "$PULL_REQUEST_HEAD_REPO_NAME" != "$GITHUB_REPOSITORY" ]; then
echo "::notice::Skipping coverage upload for fork PR (from $PULL_REQUEST_HEAD_REPO_NAME)"
exit 0
fi

if [ "$GITHUB_EVENT_NAME" = "pull_request" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_target" ]; then
COMMIT_OID="${{ github.event.pull_request.head.sha }}"
REF=""
PR_NUMBER="${{ github.event.pull_request.number }}"
else
COMMIT_OID="${{ github.sha }}"
REF="${{ github.ref }}"
if [ "$GITHUB_EVENT_NAME" != "pull_request" ] && [ "$GITHUB_EVENT_NAME" != "pull_request_target" ]; then
PR_NUMBER=$(gh pr list \
--repo "$GITHUB_REPOSITORY" \
--head "${{ github.ref_name }}" \
--head "$GITHUB_REF_NAME" \
--state open \
--json number \
--jq '.[0].number // empty' 2>/dev/null || true)
fi

COMMIT_OID="$COMMIT_OID" \
REF="$REF" \
PR_NUMBER="$PR_NUMBER" \
python3 "$GITHUB_ACTION_PATH/upload_coverage.py"