debian-forge

History

Ondřej Budai b3123a1c19 github: prevent script injections via PR branch names Prior this commit, ${{ github.event.workflow_run.head_branch }} got expanded in the bash script. A malicious actor could inject an arbitrary shell script. Since this action has access to a token with write rights the malicious actor can easily steal this token. This commit moves the expansion into an env block where such an injection cannot happen. This is the preferred way according to the github docs: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable	2024-12-03 18:40:04 +01:00
..
workflows	github: prevent script injections via PR branch names	2024-12-03 18:40:04 +01:00
mergify.yml	[skip ci] ci: switch to using automerge	2021-12-08 14:13:43 +01:00

Ondřej Budai b3123a1c19 github: prevent script injections via PR branch names

Prior this commit, ${{ github.event.workflow_run.head_branch }} got
expanded in the bash script. A malicious actor could inject
an arbitrary shell script. Since this action has access to a token
with write rights the malicious actor can easily steal this token.

This commit moves the expansion into an env block where such an
injection cannot happen. This is the preferred way according to the
github docs:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable

2024-12-03 18:40:04 +01:00

workflows

github: prevent script injections via PR branch names

2024-12-03 18:40:04 +01:00

mergify.yml

[skip ci] ci: switch to using automerge

2021-12-08 14:13:43 +01:00