This is an automated email from the ASF dual-hosted git repository. acosentino pushed a commit to branch fix-gh-action in repository https://gitbox.apache.org/repos/asf/camel.git
commit d38b7fc092d669e12eecd28643a61be753531de2 Author: Andrea Cosentino <[email protected]> AuthorDate: Thu Mar 26 10:09:24 2026 +0100 Fix GitHub Actions script injection in composite actions Replace direct ${{ }} expression interpolation in shell run: commands with environment variables passed via env: blocks to prevent script injection (githubactions:S7630). Affected actions: - detect-dependencies/action.yaml: inputs.pr-id, inputs.github-repo, steps.install-mvnd.outputs.mvnd-dir - pr-id/action.yml: inputs.artifact-name, github.event.number Signed-off-by: Andrea Cosentino <[email protected]> --- .github/actions/detect-dependencies/action.yaml | 5 ++++- .github/actions/pr-id/action.yml | 7 +++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/actions/detect-dependencies/action.yaml b/.github/actions/detect-dependencies/action.yaml index 285f90c8e6d7..e6334fc4d6b2 100644 --- a/.github/actions/detect-dependencies/action.yaml +++ b/.github/actions/detect-dependencies/action.yaml @@ -42,8 +42,11 @@ runs: - name: maven test env: GITHUB_TOKEN: ${{ inputs.github-token }} + MVND_DIR: ${{ steps.install-mvnd.outputs.mvnd-dir }} + PR_ID: ${{ inputs.pr-id }} + GITHUB_REPO: ${{ inputs.github-repo }} shell: bash - run: ${{ github.action_path }}/detect-test.sh ${{ steps.install-mvnd.outputs.mvnd-dir }}/mvnd ${{ inputs.pr-id }} ${{ inputs.github-repo }} + run: ${{ github.action_path }}/detect-test.sh "$MVND_DIR/mvnd" "$PR_ID" "$GITHUB_REPO" - name: Post dependency change comment if: always() uses: actions/github-script@v8 diff --git a/.github/actions/pr-id/action.yml b/.github/actions/pr-id/action.yml index d5f97f8d02c5..94de6a80ebfa 100644 --- a/.github/actions/pr-id/action.yml +++ b/.github/actions/pr-id/action.yml @@ -33,9 +33,12 @@ runs: - name: Save new coverage value if: github.event_name == 'pull_request' shell: bash + env: + ARTIFACT_NAME: ${{ inputs.artifact-name }} + EVENT_NUMBER: ${{ github.event.number }} run: | - mkdir -p /tmp/${{ inputs.artifact-name }} - echo ${{ github.event.number }} > /tmp/${{ inputs.artifact-name }}/id + mkdir -p "/tmp/$ARTIFACT_NAME" + echo "$EVENT_NUMBER" > "/tmp/$ARTIFACT_NAME/id" - uses: actions/upload-artifact@v4 if: github.event_name == 'pull_request'
