This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new 587a0ab1ecec Fix GitHub Actions script injection in composite actions
(#22277)
587a0ab1ecec is described below
commit 587a0ab1ecec02edc7ddd816c3978a1e370c4608
Author: Andrea Cosentino <[email protected]>
AuthorDate: Thu Mar 26 11:07:26 2026 +0100
Fix GitHub Actions script injection in composite actions (#22277)
Replace direct ${{ }} expression interpolation in shell run: commands
with environment variables passed via env: blocks to prevent script
injection (githubactions:S7630). Affected actions:
- detect-dependencies/action.yaml: inputs.pr-id, inputs.github-repo,
steps.install-mvnd.outputs.mvnd-dir
- pr-id/action.yml: inputs.artifact-name, github.event.number
Signed-off-by: Andrea Cosentino <[email protected]>
---
.github/actions/detect-dependencies/action.yaml | 5 ++++-
.github/actions/pr-id/action.yml | 7 +++++--
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/.github/actions/detect-dependencies/action.yaml
b/.github/actions/detect-dependencies/action.yaml
index 285f90c8e6d7..e6334fc4d6b2 100644
--- a/.github/actions/detect-dependencies/action.yaml
+++ b/.github/actions/detect-dependencies/action.yaml
@@ -42,8 +42,11 @@ runs:
- name: maven test
env:
GITHUB_TOKEN: ${{ inputs.github-token }}
+ MVND_DIR: ${{ steps.install-mvnd.outputs.mvnd-dir }}
+ PR_ID: ${{ inputs.pr-id }}
+ GITHUB_REPO: ${{ inputs.github-repo }}
shell: bash
- run: ${{ github.action_path }}/detect-test.sh ${{
steps.install-mvnd.outputs.mvnd-dir }}/mvnd ${{ inputs.pr-id }} ${{
inputs.github-repo }}
+ run: ${{ github.action_path }}/detect-test.sh "$MVND_DIR/mvnd" "$PR_ID"
"$GITHUB_REPO"
- name: Post dependency change comment
if: always()
uses: actions/github-script@v8
diff --git a/.github/actions/pr-id/action.yml b/.github/actions/pr-id/action.yml
index d5f97f8d02c5..94de6a80ebfa 100644
--- a/.github/actions/pr-id/action.yml
+++ b/.github/actions/pr-id/action.yml
@@ -33,9 +33,12 @@ runs:
- name: Save new coverage value
if: github.event_name == 'pull_request'
shell: bash
+ env:
+ ARTIFACT_NAME: ${{ inputs.artifact-name }}
+ EVENT_NUMBER: ${{ github.event.number }}
run: |
- mkdir -p /tmp/${{ inputs.artifact-name }}
- echo ${{ github.event.number }} > /tmp/${{ inputs.artifact-name }}/id
+ mkdir -p "/tmp/$ARTIFACT_NAME"
+ echo "$EVENT_NUMBER" > "/tmp/$ARTIFACT_NAME/id"
- uses: actions/upload-artifact@v4
if: github.event_name == 'pull_request'
