This is an automated email from the ASF dual-hosted git repository.
pkarwasz pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/logging-parent.git
The following commit(s) were added to refs/heads/main by this push:
new ded182e Improve resilience to script injection (#344)
ded182e is described below
commit ded182e3ab29a8f84644d96386f387181234f7af
Author: Piotr P. Karwasz <[email protected]>
AuthorDate: Tue Mar 18 13:10:58 2025 +0100
Improve resilience to script injection (#344)
* Improve resilience to script injection
This change removes all direct usages of GitHub expressions to prevent
potential script injections.
**Note**: The GitHub expressions modified in this PR only come from
**trusted** sources, so these problems are not exploitable. We wish, however,
to prevent possible errors in the future.
* Remove old changelog directory
* Move `PROJECT_ID` from job to steps
---
.github/workflows/deploy-release-reusable.yaml | 4 +++-
.github/workflows/deploy-site.yaml | 4 +++-
.github/workflows/verify-reproducibility-reusable.yaml | 3 ++-
3 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/deploy-release-reusable.yaml
b/.github/workflows/deploy-release-reusable.yaml
index ec09798..eee52f9 100644
--- a/.github/workflows/deploy-release-reusable.yaml
+++ b/.github/workflows/deploy-release-reusable.yaml
@@ -224,6 +224,8 @@ jobs:
- name: Create the distribution
shell: bash
+ env:
+ PROJECT_ID: ${{ inputs.project-id }}
run: |
# Generate the distribution (i.e., `src.zip` and optional `bin.zip`)
@@ -235,7 +237,7 @@ jobs:
-DattachmentCount="$DIST_ATTACHMENT_COUNT"
# Rename distribution files
- export DIST_FILENAME_PREFIX="apache-${{ inputs.project-id }}"
+ export DIST_FILENAME_PREFIX="apache-${PROJECT_ID}"
export
DIST_FILENAME_VERSIONED_PREFIX="${DIST_FILENAME_PREFIX}-${PROJECT_VERSION}"
export DIST_FILEPATH_PREFIX="/tmp/${DIST_FILENAME_VERSIONED_PREFIX}"
export DIST_FILEPATH_SRC="${DIST_FILEPATH_PREFIX}-src.zip"
diff --git a/.github/workflows/deploy-site.yaml
b/.github/workflows/deploy-site.yaml
index bd4171b..585c658 100644
--- a/.github/workflows/deploy-site.yaml
+++ b/.github/workflows/deploy-site.yaml
@@ -73,8 +73,10 @@ jobs:
steps:
- name: Export version
id: export-version
+ env:
+ REF_NAME: ${{ github.ref_name }}
run: |
- version=$(echo "${{ github.ref_name }}" | sed 's/^release\///')
+ version=$(echo "$REF_NAME" | sed 's/^release\///' | tr -d '\r\n')
echo "version=$version" >> "$GITHUB_OUTPUT"
deploy-site-rel:
diff --git a/.github/workflows/verify-reproducibility-reusable.yaml
b/.github/workflows/verify-reproducibility-reusable.yaml
index a8bac1d..d69130c 100644
--- a/.github/workflows/verify-reproducibility-reusable.yaml
+++ b/.github/workflows/verify-reproducibility-reusable.yaml
@@ -37,6 +37,7 @@ on:
env:
MAVEN_ARGS: ${{ inputs.maven-args }}
+ NEXUS_URL: ${{ inputs.nexus-url }}
jobs:
@@ -70,7 +71,7 @@ jobs:
./mvnw \
--show-version --batch-mode --errors --no-transfer-progress \
-DskipTests=true \
- -Dreference.repo=${{ inputs.nexus-url }} \
+ -Dreference.repo="${NEXUS_URL}" \
clean verify artifact:compare
# Upload reproducibility results if the build fails.
