Cornelicorn/oh-my-zsh
1
0
Fork 0
mirror of https://github.com/robbyrussell/oh-my-zsh.git synced 2025-12-06 15:30:40 +01:00
Code Issues Releases Wiki Activity

ci: improve security in project.yml workflow (#13329)

Browse Source 
There is no inherent security vulnerability in the workflow, but there were
certain practices that increased latent risk. In this commit, we:

- Explicitly bind app token for each step that needs it, instead of setting it for
  all steps after "Store app token"
- Refactor "classify" step, to not rely on files passed around, and instead uses
  only awk script.
- Remove all instances of template injection within `run` scripts. There was nothing
  dangerous, but the practice is unsafe.
- Sanitize all unwanted characters from PR plugin and theme names.

References: W2M1-06 W2M1-07
This commit is contained in:
Marc Cornellà
2025-09-27 20:00:50 +02:00
committed by GitHub
parent 6d5482ef59
commit 242e2faa51
1 changed files with 34 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
.github/workflows/project.yml vendored
View File

@@ -20,17 +20,15 @@ jobs:
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with: with:
egress-policy: audit egress-policy: audit
- name: Authenticate as @ohmyzsh - name: Authenticate as @ohmyzsh
id: generate-token id: generate-token
uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
with: with:
app-id: ${{ secrets.OHMYZSH_APP_ID }} app-id: ${{ secrets.OHMYZSH_APP_ID }}
private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }}
- name: Store app token
run: echo "GH_TOKEN=${{ steps.generate-token.outputs.token }}" >> "$GITHUB_ENV"
- name: Read project data - name: Read project data
env: env:
GH_TOKEN: ${{ steps.generate-token.outputs.token }}
ORGANIZATION: ohmyzsh ORGANIZATION: ohmyzsh
PROJECT_NUMBER: "1" PROJECT_NUMBER: "1"
run: | run: |
@@ -53,14 +51,14 @@ jobs:
}' -f org=$ORGANIZATION -F number=$PROJECT_NUMBER > project_data.json }' -f org=$ORGANIZATION -F number=$PROJECT_NUMBER > project_data.json
# Parse project data # Parse project data
cat >> $GITHUB_ENV <<EOF cat >> "$GITHUB_ENV" <<EOF
PROJECT_ID=$(jq '.data.organization.projectV2.id' project_data.json) PROJECT_ID=$(jq '.data.organization.projectV2.id' project_data.json)
PLUGIN_FIELD_ID=$(jq '.data.organization.projectV2.fields.nodes[] | select(.name == "Plugin") | .id' project_data.json) PLUGIN_FIELD_ID=$(jq '.data.organization.projectV2.fields.nodes[] | select(.name == "Plugin") | .id' project_data.json)
THEME_FIELD_ID=$(jq '.data.organization.projectV2.fields.nodes[] | select(.name == "Theme") | .id' project_data.json) THEME_FIELD_ID=$(jq '.data.organization.projectV2.fields.nodes[] | select(.name == "Theme") | .id' project_data.json)
EOF EOF
- name: Add to project - name: Add to project
env: env:
GH_TOKEN: ${{ steps.generate-token.outputs.token }}
ISSUE_OR_PR_ID: ${{ github.event.issue.node_id || github.event.pull_request.node_id }} ISSUE_OR_PR_ID: ${{ github.event.issue.node_id || github.event.pull_request.node_id }}
run: | run: |
item_id="$(gh api graphql -f query=' item_id="$(gh api graphql -f query='
@@ -71,45 +69,51 @@ jobs:
} }
} }
} }
' -f project=$PROJECT_ID -f content=$ISSUE_OR_PR_ID --jq '.data.addProjectV2ItemById.item.id')" ' -f project="$PROJECT_ID" -f content="$ISSUE_OR_PR_ID" --jq '.data.addProjectV2ItemById.item.id')"
echo "ITEM_ID=$item_id" >> $GITHUB_ENV echo "ITEM_ID=$item_id" >> $GITHUB_ENV
- name: Classify Pull Request - name: Classify Pull Request
if: github.event_name == 'pull_request_target' if: github.event_name == 'pull_request_target'
env:
GH_TOKEN: ${{ steps.generate-token.outputs.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: | run: |
touch plugins.list themes.list # Get the list of modified files in the PR, and extract plugins and themes
gh pr view "$PR_NUMBER" \
gh pr view ${{ github.event.pull_request.number }} \ --repo "$GITHUB_REPOSITORY" \
--repo ${{ github.repository }} \
--json files --jq '.files.[].path' | awk -F/ ' --json files --jq '.files.[].path' | awk -F/ '
BEGIN {
plugins = 0
themes = 0
}
/^plugins\// { /^plugins\// {
plugins[$2] = 1 if (plugin == $2) next
plugin = $2
plugins++
} }
/^themes\// { /^themes\// {
gsub(/\.zsh-theme$/, "", $2) gsub(/\.zsh-theme$/, "", $2)
themes[$2] = 1 if (theme == $2) next
theme = $2
themes++
} }
END { END {
for (plugin in plugins) { # plugin and theme are values controlled by the PR author
print plugin >> "plugins.list" # so we should sanitize them before using anywhere else
if (plugins == 1) {
gsub(/[^a-zA-Z0-9._-]/, "", plugin)
print "PLUGIN=" plugin
} }
for (theme in themes) { if (themes == 1) {
print theme >> "themes.list" gsub(/[^a-zA-Z0-9._-]/, "", theme)
print "THEME=" theme
} }
} }
' ' >> "$GITHUB_ENV"
# If only one plugin is modified, add it to the plugin field
if [[ $(wc -l < plugins.list) = 1 ]]; then
echo "PLUGIN=$(cat plugins.list)" >> $GITHUB_ENV
fi
# If only one theme is modified, add it to the theme field
if [[ $(wc -l < themes.list) = 1 ]]; then
echo "THEME=$(cat themes.list)" >> $GITHUB_ENV
fi
- name: Fill Pull Request fields in project - name: Fill Pull Request fields in project
if: github.event_name == 'pull_request_target' if: github.event_name == 'pull_request_target'
env:
GH_TOKEN: ${{ steps.generate-token.outputs.token }}
run: | run: |
gh api graphql -f query=' gh api graphql -f query='
mutation ( mutation (
@@ -145,7 +149,7 @@ jobs:
} }
} }
} }
' -f project=$PROJECT_ID -f item=$ITEM_ID \ ' -f project="$PROJECT_ID" -f item="$ITEM_ID" \
-f plugin_field=$PLUGIN_FIELD_ID -f plugin_value=$PLUGIN \ -f plugin_field="$PLUGIN_FIELD_ID" -f plugin_value="$PLUGIN" \
-f theme_field=$THEME_FIELD_ID -f theme_value=$THEME \ -f theme_field="$THEME_FIELD_ID" -f theme_value="$THEME" \
--silent --silent