mirror of
https://github.com/ossf/scorecard.git
synced 2024-10-26 10:28:10 +03:00
🌱 fix script injection (#3695)
Thanks to @AdnaneKhan for the report. * start with reporter patch * use env variable for bash step too Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>
This commit is contained in:
parent
f8198b0621
commit
84bd607ae8
17
.github/workflows/scdiff.yml
vendored
17
.github/workflows/scdiff.yml
vendored
@ -49,15 +49,10 @@ jobs:
|
||||
https://gitlab.com/baserow/baserow
|
||||
https://gitlab.com/cryptsetup/cryptsetup
|
||||
EOF
|
||||
# use shell syntax to escape, since the checks arg goes to CLI when calling scdiff
|
||||
- name: escape comment body
|
||||
id: comment
|
||||
env:
|
||||
BODY: ${{ github.event.comment.body }}
|
||||
run: |
|
||||
echo "body=$BODY" >> $GITHUB_OUTPUT
|
||||
- name: configure scdiff
|
||||
id: config
|
||||
env:
|
||||
COMMENT_BODY: ${{ github.event.comment.body }}
|
||||
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
|
||||
with:
|
||||
script: |
|
||||
@ -76,13 +71,13 @@ jobs:
|
||||
core.setOutput('head', response.data.head.sha)
|
||||
|
||||
checks = '""'
|
||||
const commentBody = '${{ steps.comment.outputs.body }}'
|
||||
const commentBody = process.env.COMMENT_BODY
|
||||
const regex = /\/scdiff generate ([^ ]+)/;
|
||||
const found = commentBody.match(regex);
|
||||
if (found && found.length == 2) {
|
||||
checks = found[1]
|
||||
}
|
||||
core.setOutput('checks', checks)
|
||||
core.exportVariable('SCORECARD_CHECKS', checks)
|
||||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
with:
|
||||
ref: ${{ steps.config.outputs.base }}
|
||||
@ -98,7 +93,7 @@ jobs:
|
||||
run: |
|
||||
go run cmd/internal/scdiff/main.go generate \
|
||||
--repos $HOME/repos.txt \
|
||||
--checks ${{ steps.config.outputs.checks }} > $HOME/before.json
|
||||
--checks $SCORECARD_CHECKS > $HOME/before.json
|
||||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
with:
|
||||
ref: ${{ steps.config.outputs.head }}
|
||||
@ -109,7 +104,7 @@ jobs:
|
||||
run: |
|
||||
go run cmd/internal/scdiff/main.go generate \
|
||||
--repos $HOME/repos.txt \
|
||||
--checks ${{ steps.config.outputs.checks }} > $HOME/after.json
|
||||
--checks $SCORECARD_CHECKS > $HOME/after.json
|
||||
- name: compare results
|
||||
run: |
|
||||
go run cmd/internal/scdiff/main.go compare $HOME/before.json $HOME/after.json
|
||||
|
Loading…
Reference in New Issue
Block a user