Merge pull request #346 from oasisprotocol/lw/harden-gh-actions

workflow: Harden GitHub workflow against injection
oasisprotocol · Aug 14, 2024 · 1f7939f · 1f7939f
2 parents 865b6ec + 57eb02b
commit 1f7939f
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -41,8 +41,13 @@ jobs:
         run: pnpm build
       - name: Extract package from tag
         id: extract-tag
+        env:
+          # There's no support for escaping this for use in a shell command.
+          # GitHub's recommendation is to pass it through the environment.
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          echo "NPM_PACKAGE=$(echo ${{ github.ref_name }} | grep -oE '(clients/js|contracts|integrations/(hardhat|wagmi-v2|viem-v2))')" >> $GITHUB_OUTPUT
+          echo "NPM_PACKAGE=$(echo $REF_NAME | grep -oE '(clients/js|contracts|integrations/(hardhat|wagmi-v2|viem-v2))')" >> $GITHUB_OUTPUT
       - name: Publish ${{ github.ref_name }} to NPM
         uses: JS-DevTools/npm-publish@v3
         with: