Skip to content

Commit de1ba40

Browse files
morealmoreal
committed
Prevent shell injection
1 parent b1cddc4 commit de1ba40

File tree

3 files changed

+16
-7
lines changed

3 files changed

+16
-7
lines changed

.github/workflows/pr-auto-commit.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -93,8 +93,10 @@ jobs:
9393
9494
- name: Push formatting changes
9595
if: steps.check-changes.outputs.has_changes == 'true'
96+
env:
97+
HEAD_REF: ${{ github.event.pull_request.head.ref }}
9698
run: |
97-
git push origin HEAD:${{ github.event.pull_request.head.ref }}
99+
git push origin "HEAD:${HEAD_REF}"
98100
99101
- name: Read committed commands
100102
id: committed-commands

.github/workflows/release.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -161,8 +161,9 @@ jobs:
161161
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
162162
tag: ${{ github.ref_name }}
163163
run: ${{ github.run_number }}
164+
PRE_RELEASE_INPUT: ${{ github.event.inputs.pre-release }}
164165
run: |
165-
if [[ "${{ github.event.inputs.pre-release }}" == "false" ]]; then
166+
if [[ "${PRE_RELEASE_INPUT}" == "false" ]]; then
166167
RELEASE_TYPE_NAME=Release
167168
PRERELEASE_ARG=
168169
else

.github/workflows/update-doc-db.yml

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,9 @@ jobs:
6161
token: ${{ secrets.AUTO_COMMIT_PAT }}
6262

6363
- name: Create update branch
64-
run: git switch -c update-doc-${{ inputs.python-version }}
64+
env:
65+
PYTHON_VERSION: ${{ inputs.python-version }}
66+
run: git switch -c "update-doc-${PYTHON_VERSION}"
6567

6668
- name: Download generated doc DBs
6769
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
@@ -71,6 +73,8 @@ jobs:
7173
merge-multiple: true
7274

7375
- name: Transform JSON
76+
env:
77+
PYTHON_VERSION: ${{ inputs.python-version }}
7478
run: |
7579
# Merge all artifacts
7680
jq -s "add" --sort-keys crates/doc/generated/*.json > crates/doc/generated/merged.json
@@ -83,7 +87,7 @@ jobs:
8387
echo -n '' > $OUTPUT_FILE
8488
8589
echo '// This file was auto-generated by `.github/workflows/update-doc-db.yml`.' >> $OUTPUT_FILE
86-
echo "// CPython version: ${{ inputs.python-version }}" >> $OUTPUT_FILE
90+
echo "// CPython version: ${PYTHON_VERSION}" >> $OUTPUT_FILE
8791
echo '// spell-checker: disable' >> $OUTPUT_FILE
8892
8993
echo '' >> $OUTPUT_FILE
@@ -103,15 +107,17 @@ jobs:
103107
- name: Commit, push and create PR
104108
env:
105109
GH_TOKEN: ${{ secrets.AUTO_COMMIT_PAT }}
110+
PYTHON_VERSION: ${{ inputs.python-version }}
111+
BASE_REF: ${{ inputs.base-ref }}
106112
run: |
107113
git config user.name "github-actions[bot]"
108114
git config user.email "github-actions[bot]@users.noreply.github.com"
109115
if [ -n "$(git status --porcelain)" ]; then
110116
git add crates/doc/src/data.inc.rs
111-
git commit -m "Update doc DB for CPython ${{ inputs.python-version }}"
117+
git commit -m "Update doc DB for CPython ${PYTHON_VERSION}"
112118
git push -u origin HEAD
113119
gh pr create \
114-
--base ${{ inputs.base-ref }} \
115-
--title "Update doc DB for CPython ${{ inputs.python-version }}" \
120+
--base "${BASE_REF}" \
121+
--title "Update doc DB for CPython ${PYTHON_VERSION}" \
116122
--body "Auto-generated by update-doc-db workflow."
117123
fi

0 commit comments

Comments
 (0)