particle-os/debian-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-forge/.github/workflows
History
Ondřej Budai b3123a1c19 github: prevent script injections via PR branch names 
Prior this commit, ${{ github.event.workflow_run.head_branch }} got
expanded in the bash script. A malicious actor could inject
an arbitrary shell script. Since this action has access to a token
with write rights the malicious actor can easily steal this token.

This commit moves the expansion into an env block where such an
injection cannot happen. This is the preferred way according to the
github docs:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
2024-12-03 18:40:04 +01:00
..
check.yml GH actions: use the latest build of osbuild-ci* containers 2024-11-28 13:29:12 +01:00
coverity.yml coverity.yml: Bump actions/checkout to v4 2024-04-10 01:32:51 +02:00
create-tag.yml ci: Adjust release schedule timer 2022-06-15 11:47:41 +02:00
generate.yml GH actions: use the latest build of osbuild-ci* containers 2024-11-28 13:29:12 +01:00
pr_best_practices.yml actions: Add a PR best practices check 2024-03-05 12:01:10 +02:00
propagate_to_manifestdb.yml manifest-db: propage the osbuild SHA on manifest-db 2022-09-23 14:18:38 +02:00
release.yml release-action: Send notification to our Slack channel 2021-12-11 14:06:13 +01:00
stale-cleanup.yml Actions: add workflow for marking and closing stale issues and PRs 2023-09-06 17:49:43 +02:00
test-on-centos.yml GH actions: use the latest build of osbuild-ci* containers 2024-11-28 13:29:12 +01:00
test.yml workflow: install python3-pytest too to workaround test_host.py 2024-11-28 20:06:51 +01:00
trigger-gitlab.yml github: prevent script injections via PR branch names 2024-12-03 18:40:04 +01:00