Skip to content
Permalink
Browse files Browse the repository at this point in the history
Pass untrusted input via intermediate ENV vars in CI jobs
  • Loading branch information
atodorov committed Apr 24, 2023
1 parent b47c866 commit 834c86d
Showing 1 changed file with 7 additions and 4 deletions.
11 changes: 7 additions & 4 deletions .github/workflows/changelog.yml
Expand Up @@ -13,20 +13,23 @@ jobs:
- uses: actions/checkout@v3

- name: check-source-branch-and-modified-files
env:
HEAD_REF: ${{ github.head_ref }}
DIFF_URL: ${{ github.event.pull_request.diff_url }}
run: |
# fail if curl fails
set -e
echo "INFO: source branch is: ${{ github.head_ref }}"
echo "INFO: source branch is: $HEAD_REF"
echo "INFO: modified files"
curl -o- -L "${{ github.event.pull_request.diff_url }}" 2>/dev/null | grep "^diff --git"
curl -o- -L "$DIFF_URL" 2>/dev/null | grep "^diff --git"
set +e
# if this PR modifies the CHANGELOG file it needs to come from a branch
# that follows the pattern 'prepare/vX.Y' b/c we want to run some extra jobs for such branches!
if curl -o- -L "${{ github.event.pull_request.diff_url }}" 2>/dev/null | grep "^diff --git" | grep "CHANGELOG"; then
if [[ ! "${{ github.head_ref }}" =~ ^prepare/v.+$ ]]; then
if curl -o- -L "$DIFF_URL" 2>/dev/null | grep "^diff --git" | grep "CHANGELOG"; then
if [[ ! "$HEAD_REF" =~ ^prepare/v.+$ ]]; then
echo "FAIL: Modifications to CHANGELOG are only accepted from 'prepate/vX.Y' branches!"
echo "INFO: Otherwise aarch64 jobs in Circle CI will not be executed."
exit 1
Expand Down

0 comments on commit 834c86d

Please sign in to comment.