From 84bd607ae8c1b3d53c64172adcc0228e8f6ae298 Mon Sep 17 00:00:00 2001
From: Spencer Schrock <sschrock@google.com>
Date: Mon, 27 Nov 2023 15:10:51 -0800
Subject: [PATCH] :seedling: fix script injection (#3695)

Thanks to @AdnaneKhan for the report.

* start with reporter patch
* use env variable for bash step too

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
---
 .github/workflows/scdiff.yml | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/scdiff.yml b/.github/workflows/scdiff.yml
index e457fc89..ba809e28 100644
--- a/.github/workflows/scdiff.yml
+++ b/.github/workflows/scdiff.yml
@@ -49,15 +49,10 @@ jobs:
           https://gitlab.com/baserow/baserow
           https://gitlab.com/cryptsetup/cryptsetup
           EOF
-      # use shell syntax to escape, since the checks arg goes to CLI when calling scdiff
-      - name: escape comment body
-        id: comment
-        env:
-          BODY: ${{ github.event.comment.body }}
-        run: |
-          echo "body=$BODY" >> $GITHUB_OUTPUT
       - name: configure scdiff
         id: config
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body }}
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
@@ -76,13 +71,13 @@ jobs:
             core.setOutput('head', response.data.head.sha)
 
             checks = '""'
-            const commentBody = '${{ steps.comment.outputs.body }}'
+            const commentBody = process.env.COMMENT_BODY
             const regex = /\/scdiff generate ([^ ]+)/;
             const found = commentBody.match(regex);
             if (found && found.length == 2) {
               checks = found[1]
             }
-            core.setOutput('checks', checks)
+            core.exportVariable('SCORECARD_CHECKS', checks)
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           ref: ${{ steps.config.outputs.base }}
@@ -98,7 +93,7 @@ jobs:
         run: |
           go run cmd/internal/scdiff/main.go generate \
             --repos $HOME/repos.txt \
-            --checks ${{ steps.config.outputs.checks }} > $HOME/before.json
+            --checks $SCORECARD_CHECKS > $HOME/before.json
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           ref: ${{ steps.config.outputs.head }}
@@ -109,7 +104,7 @@ jobs:
         run: |
           go run cmd/internal/scdiff/main.go generate \
             --repos $HOME/repos.txt \
-            --checks ${{ steps.config.outputs.checks }} > $HOME/after.json
+            --checks $SCORECARD_CHECKS > $HOME/after.json
       - name: compare results
         run: |
           go run cmd/internal/scdiff/main.go compare $HOME/before.json $HOME/after.json