Skip to content

Use PHP Matrix v1; Switch to composite action #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 16, 2025
Merged

Use PHP Matrix v1; Switch to composite action #41

merged 1 commit into from
Oct 16, 2025

Conversation

tangrufus
Copy link
Member

No description provided.

@tangrufus tangrufus added the enhancement New feature or request label Oct 16, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 16, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 16, 2025
View reviewed changes
action.yml
working-directory: ${{ github.action_path }}

- name: Add the binary into PATH
run: echo "${ACTION_PATH}/bin" >> "$GITHUB_PATH"

Check warning

Code scanning / CodeQL

PATH environment variable built from user-controlled sources

Potential PATH environment variable injection in [echo "${ACTION_PATH}/bin" >> "$GITHUB_PATH"](1), which may be controlled by an external user.

Copilot Autofix

AI 6 days ago

To mitigate the risk, ensure the path added to $GITHUB_PATH cannot be manipulated by external or untrusted actors. The best method is to sanitize or validate ${ACTION_PATH} before use. Since ${{ github.action_path }} points to the location of the action's code (which may come from attacker-controlled repositories in some contexts), hardcoding trusted paths is preferred. However, if the binary must reside in the action path, validate that ${ACTION_PATH} matches an expected trusted base path before appending it to $GITHUB_PATH. At minimum, ensure the path does not contain dangerous characters (such as newlines, spaces, shell metacharacters), and that it is an absolute path under a safe parent directory.

Since only the snippet from action.yml is shown and shell commands are used, the most robust approach within the limitation of bash is to check the path prior to echoing. Insert a check ensuring ${ACTION_PATH} is absolute and does not contain suspicious characters. If validation fails, abort the workflow safely.

Specifically, replace the run line at line 99 with a script that:

  • Verifies ${ACTION_PATH}:
    • Is an absolute path ([[ $ACTION_PATH = /* ]])
    • Does not contain dangerous characters using a regex (e.g., no whitespace, no semicolon, no newline).
  • Optionally, restrict it to a specific safe base directory if known.
    If it passes, echo ${ACTION_PATH}/bin into $GITHUB_PATH; else, error and abort.

No additional imports/dependencies are required for bash.

Suggested changeset 1
action.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/action.yml b/action.yml
--- a/action.yml
+++ b/action.yml
@@ -96,7 +96,14 @@
       working-directory: ${{ github.action_path }}
 
     - name: Add the binary into PATH
-      run: echo "${ACTION_PATH}/bin" >> "$GITHUB_PATH"
+      run: |
+        if [[ ! "$ACTION_PATH" =~ ^/ ]]; then
+          echo "::error::ACTION_PATH is not an absolute path"; exit 1
+        fi
+        if [[ "$ACTION_PATH" =~ [[:space:];`$"\\\]] ]]; then
+          echo "::error::ACTION_PATH contains invalid characters"; exit 1
+        fi
+        echo "${ACTION_PATH}/bin" >> "$GITHUB_PATH"
       shell: bash
       env:
         ACTION_PATH: ${{ github.action_path }}
EOF
@@ -96,7 +96,14 @@
working-directory: ${{ github.action_path }}

- name: Add the binary into PATH
run: echo "${ACTION_PATH}/bin" >> "$GITHUB_PATH"
run: |
if [[ ! "$ACTION_PATH" =~ ^/ ]]; then
echo "::error::ACTION_PATH is not an absolute path"; exit 1
fi
if [[ "$ACTION_PATH" =~ [[:space:];`$"\\\]] ]]; then
echo "::error::ACTION_PATH contains invalid characters"; exit 1
fi
echo "${ACTION_PATH}/bin" >> "$GITHUB_PATH"
shell: bash
env:
ACTION_PATH: ${{ github.action_path }}
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
@tangrufus tangrufus enabled auto-merge (squash) October 16, 2025 04:33
@tangrufus tangrufus disabled auto-merge October 16, 2025 04:34
@tangrufus tangrufus merged commit 7496e5b into main Oct 16, 2025
120 of 121 checks passed
@tangrufus tangrufus deleted the php-matrix-v1 branch October 16, 2025 04:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement New feature or request

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tangrufus