Fix variable injection vulnerability in helm-release workflow (#541)

* Fix variable injection vulnerability in helm-release workflow - Use explicit env block to pass GitHub context variables safely - Remove duplicate hardcoded git config that overwrote earlier settings - Prevents potential shell injection via expansion Signed-off-by: luojiyin <luojiyin@hotmail.com> * Fix git config for gh-pages repository checkout Apply git user config inside gh-pages directory before commit, as the earlier config only applies to the main repository checkout. Signed-off-by: luojiyin <luojiyin@hotmail.com> --------- Signed-off-by: luojiyin <luojiyin@hotmail.com>
2026-04-07 14:31:25 +00:00 · 2026-01-08 04:12:08 +08:00
parent b6d67b5348
commit 828c53f62d
1 changed files with 11 additions and 5 deletions
--- a/.github/workflows/helm-release.yaml
+++ b/.github/workflows/helm-release.yaml
@@ -22,9 +22,12 @@ jobs:
          fetch-depth: 0

      - name: Configure Git
+        env:
+          GIT_USER_NAME: ${{ github.actor }}
+          GIT_USER_EMAIL: ${{ github.actor }}@users.noreply.github.com
        run: |
-          git config user.name "$GITHUB_ACTOR"
-          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+          git config user.name "$GIT_USER_NAME"
+          git config user.email "$GIT_USER_EMAIL"

      - name: Install Helm
        uses: azure/setup-helm@v3
@@ -64,18 +67,21 @@ jobs:
          path: gh-pages

      - name: Update index and push
+        env:
+          GIT_USER_NAME: ${{ github.actor }}
+          GIT_USER_EMAIL: ${{ github.actor }}@users.noreply.github.com
        run: |
          # Copy packaged chart
          cp .cr-release-packages/*.tgz gh-pages/
-          
+
          # Update index
          helm repo index gh-pages --url https://we-promise.github.io/sure --merge gh-pages/index.yaml

          # Push to gh-pages
-          git config --global user.email "sure-admin@sure.am"
-          git config --global user.name "sure-admin"
          git config --global credential.helper cache
          cd gh-pages
+          git config user.name "$GIT_USER_NAME"
+          git config user.email "$GIT_USER_EMAIL"
          git add .
          git commit -m "Release nightly: ${{ steps.version.outputs.version }}"
          git push