chore: Apply security suggestions for gha (#1681)

kyma-project · Dec 16, 2024 · de5287c · de5287c
1 parent 6874669
commit de5287c
Showing 1 changed file with 14 additions and 5 deletions.
diff --git a/.github/workflows/pr-github-checks.yml b/.github/workflows/pr-github-checks.yml
@@ -31,38 +31,47 @@ jobs:
       - name: Check for area label
         if: always()
         run: |
-          gh api --jq '.labels.[].name' /repos/${{ github.repository }}/pulls/${{ github.event.number }} | \
+          gh api --jq '.labels.[].name' /repos/${REPO}/pulls/${NUMBER} | \
           grep -q '^area\/' || (echo "area label missing"; exit 1)
         env:
           GH_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
 
       - name: Check for kind label
         if: always()
         run: |
-          gh api --jq '.labels.[].name' /repos/${{ github.repository }}/pulls/${{ github.event.number }} | \
+          gh api --jq '.labels.[].name' /repos/${REPO}/pulls/${NUMBER} | \
           grep -q '^kind\/' || (echo "kind label missing"; exit 1)
         env:
           GH_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
 
       - name: Check if kind label matches pr title prefix
         if: always()
         run: |
-          kind_label=$( gh api --jq '.labels.[].name' /repos/${{ github.repository }}/pulls/${{ github.event.number }} | grep '^kind/')
+          kind_label=$( gh api --jq '.labels.[].name' /repos/${REPO}/pulls/${NUMBER} | grep '^kind/')
           kind_label_to_pr_title_prefix='{"kind/bug":"fix","kind/feature":"feat","kind/docs":"docs","kind/chore":"chore","kind/flaky-test":"test","kind/missing-test":"test","kind/failing-test":"test","kind/deps":"deps"}'
           prefix=$(echo $kind_label_to_pr_title_prefix | jq -r ".\"$kind_label\"")
-          echo "${{ github.event.pull_request.title }}" | grep '^'$prefix || (echo "PR title should start with $prefix"; exit 1)
+          echo "$TITLE" | grep '^'$prefix || (echo "PR title should start with $prefix"; exit 1)
         env:
           GH_TOKEN: ${{ github.token }}
+          TITLE: ${{ github.event.pull_request.title }}
+          REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
 
       - name: Check that there is no do-not-merge label
         if: always()
         run: |
-          labels=$(gh api --jq '.labels.[]' /repos/${{ github.repository }}/pulls/${{ github.event.number }} )
+          labels=$(gh api --jq '.labels.[]' /repos/${REPO}/pulls/${NUMBER} )
           echo "Labels found: $( echo $labels | jq -r '.name' )"
 
           ! echo "$labels" | jq 'select(.name | startswith("do-not-merge"))' | jq -n "input.name"
         env:
           GH_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
 
   pr-title-check:
     runs-on: ubuntu-latest