QT/sure
1
0
Fork 0
mirror of https://github.com/we-promise/sure.git synced 2026-05-30 07:49:01 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
53b2a0574928740a77fb0bde64f22c883d8d303e
sure/.github/workflows/preview-deploy.yml
Guillem Arias a7429857c1 fix(ci): extract github.event refs into job env in preview-deploy 
Pulls `github.event.pull_request.number` and
`github.event.pull_request.head.sha` out of every shell `run:` block
and `actions/github-script` body into job-level env vars. The PR
number is nominally an integer (no immediate injection risk), but the
*pattern* of inlining a `github.event.*` expression into a privileged
workflow's shell scripts is what the SAST finding wants to eliminate:

- The workflow holds `CLOUDFLARE_API_TOKEN` and
  `CLOUDFLARE_ACCOUNT_ID`.
- A future copy/paste of one of these step bodies onto a user-
  controlled string (branch name, PR title, commit message) would
  silently become an arbitrary command-injection path.

Touches:

- Job-level `env: { PR_NUMBER, HEAD_SHA }` so every step inherits.
- "Configure preview files": `sed` substitution now reads
  `${PR_NUMBER}` from the shell env (the literal-placeholder side
  stays escaped as `\${PR_NUMBER}`).
- "Delete existing preview container app" + "Delete existing preview
  Worker": shell var assignments use `${PR_NUMBER}`.
- "Create GitHub Deployment" github-script: `process.env.PR_NUMBER`
  inside the JS template literal instead of GHA template
  interpolation.
- "Deploy to Cloudflare Containers": `${PR_NUMBER}` in the shell;
  `CLOUDFLARE_WORKERS_SUBDOMAIN` also lifted into the step's `env:`
  block so the URL template uses `${CLOUDFLARE_WORKERS_SUBDOMAIN}`,
  not a templated secret expression in the shell command.
- "Comment on PR" github-script: replaces the four
  `${{ github.event.pull_request.* }}` interpolations with
  `process.env.PR_NUMBER` / `process.env.HEAD_SHA` and lifts the
  preview URL via step env. `issue_number` is `Number(...)`-coerced
  since env values are strings.
- "Store cleanup metadata" artifact name: uses `${{ env.PR_NUMBER }}`
  (template context, not shell).

YAML still validates (`ruby -ryaml -e 'YAML.load_file(...)'`). The
only remaining `github.event.pull_request.*` references are the job-
gate `if:` condition and the env-extraction definitions themselves —
both safe contexts.
2026-05-27 10:37:36 +02:00

8.8 KiB
Raw Blame History

View Raw
Reference in New Issue View Git Blame Copy Permalink