Merge pull request #2394 from woocommerce/dev/fix-gha-untrusted-input

Avoid running untrusted input as shell commands in the GitHub Actions
woocommerce · May 9, 2024 · 53743a9 · 53743a9
2 parents b26050f + aae2355
commit 53743a9
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -55,8 +55,10 @@ jobs:
 
       - name: Prepare BundleWatch env values - pull request
         if: ${{ github.event_name == 'pull_request' }}
+        env:
+          HEAD_REF: ${{ github.head_ref }}
         run: |
-          echo "CI_BRANCH=${{ github.head_ref }}" >> $GITHUB_ENV
+          echo "CI_BRANCH=${HEAD_REF}" >> $GITHUB_ENV
           echo "CI_BRANCH_BASE=${{ github.base_ref }}" >> $GITHUB_ENV
           echo "CI_COMMIT_SHA=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
 

diff --git a/.github/workflows/php-hook-documentation.yml b/.github/workflows/php-hook-documentation.yml
@@ -31,6 +31,8 @@ jobs:
           source-directories: src/,views/,google-listings-and-ads.php,uninstall.php
 
       - name: Commit hook documentation
+        env:
+          HEAD_REF: ${{ github.head_ref }}
         shell: bash
         # Use the github-actions bot account to commit.
         # https://api.github.com/users/github-actions%5Bbot%5D
@@ -43,6 +45,6 @@ jobs:
             echo "*No documentation changes to commit.*" >> $GITHUB_STEP_SUMMARY
           else
             echo "*Committing documentation changes.*" >> $GITHUB_STEP_SUMMARY
-            git commit -q -m "Update hooks documentation from ${{ github.head_ref }} branch."
+            git commit -q -m "Update hooks documentation from ${HEAD_REF} branch."
             git push
           fi