[CI] Add env ci #5331

Copilot · 2025-12-02T09:15:18Z

BRANCH is expanded unquoted in the shell command git diff upstream/$BRANCH --name-only, which allows command injection if an attacker can influence the branch name (e.g., a PR from a fork with a branch name containing ; or backticks). This can lead to arbitrary command execution in CI with your secrets (like GITHUB_TOKEN). Quote the variable to prevent the shell from interpreting metacharacters, e.g.,

HAS_ENV_MODIFY=$(git diff "upstream/${BRANCH}" --name-only | grep -E "^${ENV_FILE}$" || true)

Additionally consider validating BRANCH against a safe pattern (e.g., ^[A-Za-z0-9._/-]+$).

-Original file line number
+Diff line change
@@ Expand Up @@
         check_approval "$echo_line1" 1 freeliuzc Deleter-D
     fi
+    ENV_FILE="fastdeploy/envs.py"
+    HAS_ENV_MODIFY=$(git diff upstream/$BRANCH --name-only | grep -E "^${ENV_FILE}$" || true)
+    if [ "${HAS_ENV_MODIFY}" != "" ] && [ "${PR_ID}" != "" ]; then
+        echo_line1="You must have one FastDeploy RD (yuanlehome(liuyuanle), rainyfly(chenjian26), Wanglongzhi2001(wanglongzhi)) approval for modifying [${ENV_FILE}]."
+        check_approval "$echo_line1" 1 yuanlehome rainyfly Wanglongzhi2001
+    fi
     if [[ "${BRANCH}" != "develop" ]] && [[ -n "${PR_ID}" ]]; then
         pr_info=$(curl -H "Authorization: token ${GITHUB_TOKEN}" \
             https://api.github.com/repos/PaddlePaddle/FastDeploy/pulls/${PR_ID})
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CI] Add env ci #5331

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Copilot AI Dec 2, 2025

Uh oh!

Uh oh!

[CI] Add env ci #5331

Uh oh!

[CI] Add env ci #5331

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!