From da235b4779d3fb29419228ea5ba71010fc1f0b7a Mon Sep 17 00:00:00 2001 From: Lucas Saavedra Vaz <32426024+lucasssvaz@users.noreply.github.com> Date: Tue, 10 Sep 2024 13:59:14 -0300 Subject: [PATCH] test --- .github/workflows/tests_results.yml | 26 ++++++++++++++++++---- .github/workflows/upload-idf-component.yml | 7 +++++- 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/.github/workflows/tests_results.yml b/.github/workflows/tests_results.yml index 8dbe3d937ad..a255016c413 100644 --- a/.github/workflows/tests_results.yml +++ b/.github/workflows/tests_results.yml @@ -41,6 +41,24 @@ jobs: original_sha=$(cat ./artifacts/parent-artifacts/sha.txt) original_ref=$(cat ./artifacts/parent-artifacts/ref.txt) original_conclusion=$(cat ./artifacts/parent-artifacts/conclusion.txt) + + # Sanitize the values to avoid security issues + + # Event: Allow alphabetical characters and underscores + original_event=$(echo "$original_event" | tr -cd '[:alpha:]_') + + # Action: Allow alphabetical characters and underscores + original_action=$(echo "$original_action" | tr -cd '[:alpha:]_') + + # SHA: Allow alphanumeric characters + original_sha=$(echo "$original_sha" | tr -cd '[:alnum:]') + + # Ref: Allow alphanumeric characters, slashes, underscores, dots, and dashes + original_ref=$(echo "$original_ref" | tr -cd '[:alnum:]/_.-') + + # Conclusion: Allow alphabetical characters and underscores + original_conclusion=$(echo "$original_conclusion" | tr -cd '[:alpha:]_') + echo "original_event=$original_event" >> $GITHUB_ENV echo "original_action=$original_action" >> $GITHUB_ENV echo "original_sha=$original_sha" >> $GITHUB_ENV @@ -71,10 +89,10 @@ jobs: uses: actions/github-script@v7 with: script: | - const ref = '${{ env.original_ref }}'; + const ref = process.env.original_ref; const key_prefix = 'tests-' + ref + '-'; - if ('${{ env.original_event }}' == 'pull_request' && '${{ env.original_action }}' != 'closed') { + if (process.env.original_event == 'pull_request' && process.env.original_action != 'closed') { console.log('Skipping cache cleanup for open PR'); return; } @@ -104,12 +122,12 @@ jobs: script: | const owner = '${{ github.repository_owner }}'; const repo = '${{ github.repository }}'.split('/')[1]; - const sha = '${{ env.original_sha }}'; + const sha = process.env.original_sha; core.debug(`owner: ${owner}`); core.debug(`repo: ${repo}`); core.debug(`sha: ${sha}`); const { context: name, state } = (await github.rest.repos.createCommitStatus({ - context: 'Runtime Tests / Report results (${{ env.original_event }} -> workflow_run -> workflow_run)', + context: `Runtime Tests / Report results (${process.env.original_event} -> workflow_run -> workflow_run)`, owner: owner, repo: repo, sha: sha, diff --git a/.github/workflows/upload-idf-component.yml b/.github/workflows/upload-idf-component.yml index 22912de6da0..c12b8559019 100644 --- a/.github/workflows/upload-idf-component.yml +++ b/.github/workflows/upload-idf-component.yml @@ -6,6 +6,9 @@ on: types: - completed +permissions: + contents: read + jobs: upload_components: runs-on: ubuntu-latest @@ -17,7 +20,9 @@ jobs: exit 1 fi - branch=${{ github.event.workflow_run.head_branch }} + # Read and sanitize the branch/tag name + branch=$(echo "${{ github.event.workflow_run.head_branch }}" | tr -cd '[:alnum:]/_.-') + if [[ $branch == refs/tags/* ]]; then tag="${branch#refs/tags/}" elif [[ $branch =~ ^[0-9]+\.[0-9]+\.[0-9]+.*$ ]]; then