mirror of
https://github.com/actions/checkout.git
synced 2024-11-15 11:54:30 +08:00
Prevent Script Injection Attack
The user provided inputs here are vulnerable to script injection. This PR uses an intermediary environment variable to treat the input as a string, rather than as part of the command. See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
This commit is contained in:
parent
755da8c3cf
commit
fe77b196f4
7
.github/workflows/update-main-version.yml
vendored
7
.github/workflows/update-main-version.yml
vendored
@ -16,6 +16,9 @@ on:
|
|||||||
jobs:
|
jobs:
|
||||||
tag:
|
tag:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
env:
|
||||||
|
TARGET: ${{ github.event.inputs.target }}
|
||||||
|
MAIN_VERSION: ${{ github.event.inputs.main_version }}
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
@ -25,6 +28,6 @@ jobs:
|
|||||||
git config user.name github-actions
|
git config user.name github-actions
|
||||||
git config user.email github-actions@github.com
|
git config user.email github-actions@github.com
|
||||||
- name: Tag new target
|
- name: Tag new target
|
||||||
run: git tag -f ${{ github.event.inputs.main_version }} ${{ github.event.inputs.target }}
|
run: git tag -f "$MAIN_VERSION" "$TARGET"
|
||||||
- name: Push new tag
|
- name: Push new tag
|
||||||
run: git push origin ${{ github.event.inputs.main_version }} --force
|
run: git push origin "$MAIN_VERSION" --force
|
||||||
|
Loading…
Reference in New Issue
Block a user