dearsky/wifi-densepose
1
0
Fork 0
Code Issues 20 Pull Requests 5 Actions Packages Projects Releases 1 Wiki Activity

security: Fix GitHub Actions shell injection vulnerability

Browse Source 
- Use environment variables instead of direct interpolation
- Prevent shell injection through github context data
- Follow GitHub security best practices
This commit is contained in:
fr4iser
2026-02-28 20:40:25 +01:00
parent ac094d4a97
commit ab2e7b49ad
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
.github/workflows/cd.yml vendored
View File

@@ -45,12 +45,17 @@ jobs:
- name: Determine deployment environment - name: Determine deployment environment
id: determine-env id: determine-env
env:
# Use environment variable to prevent shell injection
GITHUB_EVENT_NAME: ${{ github.event_name }}
GITHUB_REF: ${{ github.ref }}
GITHUB_INPUT_ENVIRONMENT: ${{ github.event.inputs.environment }}
run: | run: |
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then if [[ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]]; then
echo "environment=${{ github.event.inputs.environment }}" >> $GITHUB_OUTPUT echo "environment=$GITHUB_INPUT_ENVIRONMENT" >> $GITHUB_OUTPUT
elif [[ "${{ github.ref }}" == "refs/heads/main" ]]; then elif [[ "$GITHUB_REF" == "refs/heads/main" ]]; then
echo "environment=staging" >> $GITHUB_OUTPUT echo "environment=staging" >> $GITHUB_OUTPUT
elif [[ "${{ github.ref }}" == refs/tags/v* ]]; then elif [[ "$GITHUB_REF" == refs/tags/v* ]]; then
echo "environment=production" >> $GITHUB_OUTPUT echo "environment=production" >> $GITHUB_OUTPUT
else else
echo "environment=staging" >> $GITHUB_OUTPUT echo "environment=staging" >> $GITHUB_OUTPUT