From 83552d6995a371be8b4860f9f1068f78f2f7b1af Mon Sep 17 00:00:00 2001
From: Ju4tCode <42488585+yanyongyu@users.noreply.github.com>
Date: Mon, 18 Nov 2024 23:09:11 +0800
Subject: [PATCH] :lock: Security: restrict workflow context (#3124)

Co-authored-by: polarathene <5098581+polarathene@users.noreply.github.com>
---
 .github/workflows/website-preview-cd.yml | 9 +++++++--
 .github/workflows/website-preview-ci.yml | 4 ++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/website-preview-cd.yml b/.github/workflows/website-preview-cd.yml
index ac8edbe4..8742b39e 100644
--- a/.github/workflows/website-preview-cd.yml
+++ b/.github/workflows/website-preview-cd.yml
@@ -45,11 +45,16 @@ jobs:
 
       - name: Restore Context
         run: |
-          cat action.env >> $GITHUB_ENV
+          PR_NUMBER=$(cat ./pr-number)
+          if ! [[ "${PR_NUMBER}" =~ ^[0-9]+$ ]]; then
+            echo "Invalid PR number: ${PR_NUMBER}"
+            exit 1
+          fi
+          echo "PR_NUMBER=${PR_NUMBER}" >> "${GITHUB_ENV}"
 
       - name: Set Deploy Name
         run: |
-          echo "DEPLOY_NAME=deploy-preview-${{ env.PR_NUMBER }}" >> $GITHUB_ENV
+          echo "DEPLOY_NAME=deploy-preview-${PR_NUMBER}" >> "${GITHUB_ENV}"
 
       - name: Deploy to Netlify
         id: deploy
diff --git a/.github/workflows/website-preview-ci.yml b/.github/workflows/website-preview-ci.yml
index 1898bd57..a2ddc5e7 100644
--- a/.github/workflows/website-preview-ci.yml
+++ b/.github/workflows/website-preview-ci.yml
@@ -30,7 +30,7 @@ jobs:
 
       - name: Export Context
         run: |
-          echo "PR_NUMBER=${{ github.event.number }}" >> ./action.env
+          echo "${{ github.event.pull_request.number }}" > ./pr-number
 
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
@@ -38,5 +38,5 @@ jobs:
           name: website-preview
           path: |
             ./website/build
-            ./action.env
+            ./pr-number
           retention-days: 1