Skip to content

Commit

Permalink
CI: move potentially exploitable vars to env
Browse files Browse the repository at this point in the history
All variables that can be controlled by an attacker and that are
expanded in the scripts can be a risk.
  • Loading branch information
Grimler91 committed Dec 11, 2024
1 parent ef7b125 commit 531bfaa
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 4 deletions.
3 changes: 2 additions & 1 deletion .github/workflows/package_updates.yml
Original file line number Diff line number Diff line change
Expand Up @@ -153,12 +153,13 @@ jobs:
CREATE_ISSUE: "true"
GIT_COMMIT_PACKAGES: "true"
GIT_PUSH_PACKAGES: "true"
MANUAL_INPUT_PACKAGES: ${{ github.event.inputs.packages }}
run: |
git config --global user.name "Termux Github Actions"
git config --global user.email "contact@termux.dev"
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
./scripts/bin/update-packages ${{ github.event.inputs.packages }}
./scripts/bin/update-packages $MANUAL_INPUT_PACKAGES
else
./scripts/bin/update-packages "@all"
fi
12 changes: 9 additions & 3 deletions .github/workflows/packages.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ jobs:
persist-credentials: false
- name: Gather build summary
id: build-info
env:
MANUAL_INPUT_PACKAGES: ${{ github.event.inputs.packages }}
run: |
if [ "${{ github.event_name }}" != "workflow_dispatch" ]; then
BASE_COMMIT=$(jq --raw-output .pull_request.base.sha "$GITHUB_EVENT_PATH")
Expand Down Expand Up @@ -111,7 +113,7 @@ jobs:
done<<<${CHANGED_FILES}
done
else
for pkg in ${{ github.event.inputs.packages }}; do
for pkg in $MANUAL_INPUT_PACKAGES; do
repo_paths=$(jq --raw-output 'del(.pkg_format) | keys | .[]' repo.json)
found=false
for repo_path in $repo_paths; do
Expand Down Expand Up @@ -190,6 +192,8 @@ jobs:
fi
- name: Free additional disk space (if needed)
env:
DOCKER_BUILD: ${{ steps.build-info.outputs.docker-build }}
run: |
declare -a packages
for repo_path in $(jq --raw-output 'del(.pkg_format) | keys | .[]' repo.json); do
Expand All @@ -199,7 +203,7 @@ jobs:
fi
done
if [ ${{ steps.build-info.outputs.docker-build }} == 'false' ]; then
if [ "$DOCKER_BUILD" == 'false' ]; then
./scripts/setup-ubuntu.sh
sudo apt install ninja-build
sudo apt purge -yq $(dpkg -l | grep '^ii' | awk '{ print $2 }' | grep -P '(aspnetcore|cabal-|dotnet-|ghc-|libmono|mongodb-|mysql-|php)') \
Expand All @@ -210,6 +214,8 @@ jobs:
fi
- name: Build packages
env:
DOCKER_BUILD: ${{ steps.build-info.outputs.docker-build }}
run: |
declare -a packages
for repo_path in $(jq --raw-output 'del(.pkg_format) | keys | .[]' repo.json); do
Expand All @@ -219,7 +225,7 @@ jobs:
fi
done
if [ ${{ steps.build-info.outputs.docker-build }} == 'false' ]; then
if [ "$DOCKER_BUILD" == 'false' ]; then
NDK=$ANDROID_NDK ANDROID_HOME=$ANDROID_SDK_ROOT ./build-package.sh -I -a ${{ matrix.target_arch }} $packages
elif [ -n "$packages" ]; then
./scripts/run-docker.sh ./build-package.sh -I -a ${{ matrix.target_arch }} $packages
Expand Down

0 comments on commit 531bfaa

Please sign in to comment.