fix: extract 3 unsafe expression(s) to env vars#540
Open
dagecko wants to merge 1 commit into
Open
Conversation
Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard). Changes: .github/workflows/release.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-)
|
|
Member
|
Hi @dagecko 👋 Thank you for this PR and for the service you're doing for OSS! As far as I understand, this change prevents shell injection if there was something malicious in That secret is controlled by us and if someone gains access to set that secret we're in a bigger pickle already if I'm not missing something 😅 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR hardens CI/CD workflows against supply chain attacks by extracting 3 secrets from
run:blocks intoenv:mappings.Summary
This PR hardens your CI/CD workflows against supply chain attacks by extracting unsafe expressions from
run:blocks intoenv:mappings.release.ymlTF_DEVEX_COMMIT_GITHUB_TOKENsecrets to env varsWhy this PR
I've been scanning the top 50,000 GitHub repositories for CI/CD pipeline vulnerabilities over the last 5 weeks as part of an ongoing research effort into the supply chain attack campaign that started with tj-actions in March and has escalated through multiple phases since.
You may notice that I have opened up a lot of PRs - don't take that as a negative. I've been working around the clock on this and monitoring all comms. It may take me an hour or two to get back to a comment you leave.
How to verify
Every change is mechanical and preserves workflow behavior:
${{ secrets.* }}fromrun:blocks intoenv:mappings, preventing shell injectionWe've had 22 merges so far including next.js, keras, webpack, svelte, apache/superset, and excalidraw. I created a tool called Runner Guard to assist in my research - it does mechanical, non-AI fixes to reduce hallucinations to zero and produce consistent fixes. If you would like to scan it yourself to validate my work, feel free.
Happy to answer any questions - I'm monitoring comms on every PR.
- Chris Nyhuis (dagecko)
PCI review checklist