Mitigate potential template injection in CI workflow

[mediremi]

In GitHub Actions workflows, using template expansions (${{ ... }}) in run (and other code execution) blocks can lead to template injection vulnerabilities.

From the link above:

These expansions happen before workflow and job execution, meaning the expansion of a given expression appears verbatim in whatever context it was performed in.

Template expansions aren't syntax-aware, meaning that they can result in unintended shell injection vectors. This is especially true when they're used with attacker-controllable expression contexts

zizmor identified two locations in .github/workflows/ci.yml where code injection via template expansion may be possible:

1. rescript/.github/workflows/ci.yml

   Line 275 in f7e3343

   -B ${{ github.ref }} \

2. rescript/.github/workflows/ci.yml

   Line 532 in f7e3343

   git commit -m "Update API docs for ${{ github.ref_name }}"

As recommended by GitHub's Security Lab, I've replaced these template expansions with environmental variables.

The $GITHUB_REF and $GITHUB_REF_NAME environmental variables are already defined by default, so we don't need to define them with env:.

[mediremi]

I've wrapped this env var with quotes to avoid word splitting

[pkg-pr-new]

Open in StackBlitz

rescript

npm i https://pkg.pr.new/rescript-lang/rescript@7982

@rescript/darwin-arm64

npm i https://pkg.pr.new/rescript-lang/rescript/@rescript/darwin-arm64@7982

@rescript/darwin-x64

npm i https://pkg.pr.new/rescript-lang/rescript/@rescript/darwin-x64@7982

@rescript/linux-arm64

npm i https://pkg.pr.new/rescript-lang/rescript/@rescript/linux-arm64@7982

@rescript/linux-x64

npm i https://pkg.pr.new/rescript-lang/rescript/@rescript/linux-x64@7982

@rescript/runtime

npm i https://pkg.pr.new/rescript-lang/rescript/@rescript/runtime@7982

@rescript/win32-x64

npm i https://pkg.pr.new/rescript-lang/rescript/@rescript/win32-x64@7982

commit: 15806f7

[cknitt]

Thanks @mediremi! 👍