Skip to content

remove usage of dynamic GitHub actions variable #22725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

remove usage of dynamic GitHub actions variable #22725

wants to merge 1 commit into from
+7 −5

Conversation

sanikachavan5
Copy link
Contributor

Description

use hardcoded names for preventing attacks

Testing & Reproduction steps

Links

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

PCI review checklist

  • I have documented a clear reason for, and description of, the change I am making.

  • If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

  • If applicable, I've documented the impact of any changes to security controls.

    Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

@sanikachavan5 sanikachavan5 requested a review from a team as a code owner September 8, 2025 18:48
@github-actions github-actions bot added type/ci Relating to continuous integration (CI) tooling for testing or releases theme/contributing Additions and enhancements to community contributing materials labels Sep 8, 2025
@sanikachavan5 sanikachavan5 added pr/no-changelog PR does not need a corresponding .changelog entry backport/all Apply backports for all active releases per .release/versions.hcl backport/ent/1.18 Changes are backported to 1.18 ent backport/ent/1.19 Changes are backported to 1.19 ent backport/ent/1.20 backport to ent 1.20 labels Sep 8, 2025
@dduzgun-security dduzgun-security changed the title use hardcoded names for preventing attacks remove usage of dynamic GitHub actions variable Sep 12, 2025
dduzgun-security
dduzgun-security reviewed Sep 12, 2025
View reviewed changes
.github/workflows/go-tests.yml
@@ -562,6 +562,8 @@ jobs:
# Capturing in an env var makes this safe against GHA shell injection via commit message.
# See https://securitylab.github.com/research/github-actions-untrusted-input/
COMMIT_MESSAGE_FULL: ${{ github.event.head_commit.message }}
# Capturing workflow name in env var to prevent shell injection
WORKFLOW_NAME: ${{ github.workflow }}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, having that as en env sanitizes the value.

dduzgun-security
dduzgun-security approved these changes Sep 12, 2025
View reviewed changes
Copy link
Collaborator

@dduzgun-security dduzgun-security left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you for working on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dduzgun-security dduzgun-security dduzgun-security approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
backport/all Apply backports for all active releases per .release/versions.hcl backport/ent/1.18 Changes are backported to 1.18 ent backport/ent/1.19 Changes are backported to 1.19 ent backport/ent/1.20 backport to ent 1.20 pr/no-changelog PR does not need a corresponding .changelog entry theme/contributing Additions and enhancements to community contributing materials type/ci Relating to continuous integration (CI) tooling for testing or releases
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sanikachavan5 @dduzgun-security