Prevent arbitrary code execution in wordcloud actions workflow

JessicaLim8 · Oct 17, 2020 · c1363c4 · c1363c4
1 parent d33114e
commit c1363c4
Showing 1 changed file with 6 additions and 7 deletions.
diff --git a/.github/workflows/wordcloud.yml b/.github/workflows/wordcloud.yml
@@ -13,12 +13,6 @@ jobs:
     - name: Checkout
       uses: actions/checkout@v2.3.1
 
-    - name: Set env vars
-      run: |
-        echo ::set-env name=REPOSITORY::${{ github.repository }}
-        echo ::set-env name=EVENT_ISSUE_NUMBER::${{ github.event.issue.number }}
-        echo ::set-env name=EVENT_USER_LOGIN::${{ github.event.issue.user.login }}
-
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
@@ -35,14 +29,19 @@ jobs:
         pip install wordcloud
 
     - name: Generate New Word Cloud
+      env:
+        REPOSITORY: ${{ github.repository }}
+        EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
+        EVENT_ISSUE_TITLE: ${{ github.event.issue.title }}
+        EVENT_USER_LOGIN: ${{ github.event.issue.user.login }}
       run: |
         ruby <<- EORUBY
           require './wordcloud/runner'
           
           Runner.new(
             github_token: '${{ secrets.GITHUB_TOKEN }}',
             issue_number: ENV.fetch('EVENT_ISSUE_NUMBER'),
-            issue_title: '${{ github.event.issue.title }}',
+            issue_title: ENV.fetch('EVENT_ISSUE_TITLE'),
             repository: ENV.fetch('REPOSITORY'),
             user: ENV.fetch('EVENT_USER_LOGIN'),
           ).run