[ci] Fix possible command injection vulnerabilities

2024-12-07 19:30:17 +01:00 · 2024-12-07 19:30:17 +01:00 · e588dfaff2
commit e588dfaff2
parent b160a97f0e
3 changed files with 26 additions and 8 deletions
--- a/.forgejo/workflows/commit.yaml
+++ b/.forgejo/workflows/commit.yaml
@ -12,7 +12,10 @@ jobs:
        --volume /root/.docker:/root/.docker
    steps:
      - name: Clone repository
-        run: git clone ${{ github.event.repository.clone_url }} --branch=${{ github.ref_name }} --depth=1 .
+        run: git clone "$REPO" --branch="$BRANCH" --depth=1 .
+        env:
+          REPO: ${{ github.event.repository.clone_url }}
+          BRANCH: ${{ github.ref_name }}
      - name: Print environment info
        run: dotnet --info
      - name: Run unit tests
@ -21,7 +24,10 @@ jobs:
        shell: bash
        run: |
          make cleanall >/dev/null
-          docker login iceshrimp.dev -u ${{ github.actor }} -p ${{ secrets.REGISTRY_TOKEN }}
+          docker login iceshrimp.dev -u "$USER" -p "$TOKEN"
          docker buildx create --name iceshrimp-ci 2>&1 &>/dev/null || true
-          docker buildx build -t iceshrimp.dev/${GITHUB_REPOSITORY@L}:$GITHUB_REF_NAME --provenance=false --platform=linux/amd64,linux/arm64 --push --builder iceshrimp-ci .
+          docker buildx build -t "iceshrimp.dev/${GITHUB_REPOSITORY@L}:$GITHUB_REF_NAME" --provenance=false --platform=linux/amd64,linux/arm64 --push --builder iceshrimp-ci .
          docker buildx prune --keep-storage 20G --builder iceshrimp-ci
+        env:
+          USER: ${{ github.actor }}
+          TOKEN: ${{ secrets.REGISTRY_TOKEN }}
--- a/.forgejo/workflows/release-artifacts.yaml
+++ b/.forgejo/workflows/release-artifacts.yaml
@ -12,11 +12,17 @@ jobs:
        --volume /root/.docker:/root/.docker
    steps:
      - name: Clone repository
-        run: git clone ${{ github.event.repository.clone_url }} --branch=${{ github.ref_name }} --depth=1 .
+        run: git clone "$REPO" --branch="$BRANCH" --depth=1 .
+        env:
+          REPO: ${{ github.event.repository.clone_url }}
+          BRANCH: ${{ github.ref_name }}
      - name: Print environment info
        run: dotnet --info
      - name: Build release artifacts
-        run: make release-artifacts ARCHIVE_BASENAME=${{ github.event.repository.name }} ARCHIVE_VERSION=${{ github.ref_name }} VERBOSE=true DEP_VULN_WERROR=true
+        run: make release-artifacts "ARCHIVE_BASENAME=$REPO" "ARCHIVE_VERSION=$VERSION" VERBOSE=true DEP_VULN_WERROR=true
+        env:
+          REPO: ${{ github.event.repository.name }}
+          VERSION: ${{ github.ref_name }}
      - name: Upload artifacts
        uses: actions/release-action@main
        with:
@ -44,7 +50,10 @@ jobs:
          echo "TAGS=$TAGS" >> "${GITHUB_ENV}"
      - name: Build docker image
        run: |
-          docker login iceshrimp.dev -u ${{ github.actor }} -p ${{ secrets.REGISTRY_TOKEN }}
+          docker login iceshrimp.dev -u "$USER" -p "$TOKEN"
          docker buildx create --name iceshrimp-ci 2>&1 &>/dev/null || true
          docker buildx build ${{ env.TAGS }} --provenance=false --platform=linux/amd64,linux/arm64 --push --builder iceshrimp-ci -f ./.docker/dotnet-runner-9.0.Dockerfile ./release
          docker buildx prune --keep-storage 20G --builder iceshrimp-ci
+        env:
+          USER: ${{ github.actor }}
+          TOKEN: ${{ secrets.REGISTRY_TOKEN }}
--- a/.forgejo/workflows/test-build.yaml
+++ b/.forgejo/workflows/test-build.yaml
@ -13,9 +13,12 @@ jobs:
      - name: Clone repository
        run: |
          git init -b test-build
-          git remote add origin ${{ github.event.repository.clone_url }}
-          git fetch origin ${{ github.ref }} --depth=1
+          git remote add origin "$REPO"
+          git fetch origin "$REF" --depth=1
          git checkout --detach FETCH_HEAD
+        env:
+          REPO: ${{ github.event.repository.clone_url }}
+          REF: ${{ github.ref }}
      - name: Print environment info
        run: dotnet --info
      - name: Run unit tests