From 43c93dba4650066d9d867af029d73ffc8fce6a70 Mon Sep 17 00:00:00 2001 From: Chris Nyhuis Date: Thu, 26 Mar 2026 15:02:52 -0400 Subject: [PATCH] fix: extract 10 unsafe expression(s) to env vars Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard). Changes: .github/workflows/build-and-deploy-snapshot.yml | 3 ++- .github/workflows/distribute.yml | 11 +++++++++-- .github/workflows/release-milestone.yml | 3 ++- .github/workflows/release.yml | 3 ++- .github/workflows/trigger-docs-build.yml | 5 ++++- 5 files changed, 19 insertions(+), 6 deletions(-) --- .github/workflows/build-and-deploy-snapshot.yml | 3 ++- .github/workflows/distribute.yml | 11 +++++++++-- .github/workflows/release-milestone.yml | 3 ++- .github/workflows/release.yml | 3 ++- .github/workflows/trigger-docs-build.yml | 5 ++++- 5 files changed, 19 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-and-deploy-snapshot.yml b/.github/workflows/build-and-deploy-snapshot.yml index dbcffad1b965..0e247b6a0b4f 100644 --- a/.github/workflows/build-and-deploy-snapshot.yml +++ b/.github/workflows/build-and-deploy-snapshot.yml @@ -60,7 +60,8 @@ jobs: - name: Run Deploy Docs Workflow env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-sha=${{ github.sha }} -f build-refname=${{ github.ref_name }} -f build-version=${{ needs.build-and-deploy-snapshot.outputs.version }} + REF_NAME: ${{ github.ref_name }} + run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-sha=${{ github.sha }} -f build-refname=${REF_NAME} -f build-version=${{ needs.build-and-deploy-snapshot.outputs.version }} verify: name: Verify needs: build-and-deploy-snapshot diff --git a/.github/workflows/distribute.yml b/.github/workflows/distribute.yml index e8462178fe5c..3c2813f8b7f8 100644 --- a/.github/workflows/distribute.yml +++ b/.github/workflows/distribute.yml @@ -25,11 +25,14 @@ jobs: if: ${{ vars.COMMERCIAL && inputs.create-bundle }} shell: bash run: | - curl -s -u "${{ secrets.COMMERCIAL_ARTIFACTORY_USERNAME }}:${{ secrets.COMMERCIAL_ARTIFACTORY_PASSWORD }}" \ + curl -s -u "${COMMERCIAL_ARTIFACTORY_USERNAME}:${COMMERCIAL_ARTIFACTORY_PASSWORD}" \ -X POST -H "X-JFrog-Signing-Key-Name: packagesKey" -H "Content-Type: application/json" \ "https://usw1.packages.broadcom.com/lifecycle/api/v2/release_bundle?project=spring" \ -d '{"release_bundle_name": "TNZ-spring-boot-commercial", "release_bundle_version": "${{ inputs.version }}", "skip_docker_manifest_resolution": true, "source_type": "builds", "source": {"builds": [ {"build_repository": "spring-build-info", "build_name": "spring-boot-commercial-${{ inputs.version }}", "build_number": "${{ inputs.build-number }}", "include_dependencies": false}]}}' | \ jq -e 'if has("repository_key") then . else halt_error end' + env: + COMMERCIAL_ARTIFACTORY_USERNAME: ${{ secrets.COMMERCIAL_ARTIFACTORY_USERNAME }} + COMMERCIAL_ARTIFACTORY_PASSWORD: ${{ secrets.COMMERCIAL_ARTIFACTORY_PASSWORD }} - name: Sleep if: ${{ vars.COMMERCIAL && inputs.create-bundle }} shell: bash @@ -38,8 +41,12 @@ jobs: if: ${{ vars.COMMERCIAL }} shell: bash run: | - curl -s -u "${{ secrets.COMMERCIAL_ARTIFACTORY_USERNAME }}:${{ secrets.COMMERCIAL_ARTIFACTORY_PASSWORD }}" \ + curl -s -u "${COMMERCIAL_ARTIFACTORY_USERNAME}:${COMMERCIAL_ARTIFACTORY_PASSWORD}" \ -X POST -H "Content-Type: application/json" \ "https://usw1.packages.broadcom.com/lifecycle/api/v2/distribution/distribute/TNZ-spring-boot-commercial/${{ inputs.version }}?project=spring" \ -d '{"auto_create_missing_repositories": "false", "distribution_rules": [{"site_name": "JP-SaaS"}], "modifications": {"mappings": [{"input": "spring-enterprise-maven-prod-local/(.*)", "output": "spring-enterprise/$1"}]}}' | \ jq -e 'if has("id") then . else halt_error end' + + env: + COMMERCIAL_ARTIFACTORY_USERNAME: ${{ secrets.COMMERCIAL_ARTIFACTORY_USERNAME }} + COMMERCIAL_ARTIFACTORY_PASSWORD: ${{ secrets.COMMERCIAL_ARTIFACTORY_PASSWORD }} \ No newline at end of file diff --git a/.github/workflows/release-milestone.yml b/.github/workflows/release-milestone.yml index 4d1bf14026c0..98bbf8d5f185 100644 --- a/.github/workflows/release-milestone.yml +++ b/.github/workflows/release-milestone.yml @@ -110,7 +110,8 @@ jobs: - name: Run Deploy Docs Workflow env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-refname=${{ github.ref_name }} -f build-version=${{ needs.build-and-stage-release.outputs.version }} + REF_NAME: ${{ github.ref_name }} + run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-refname=${REF_NAME} -f build-version=${{ needs.build-and-stage-release.outputs.version }} create-github-release: name: Create GitHub Release needs: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9c4474949206..bf30be83433d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -156,7 +156,8 @@ jobs: - name: Run Deploy Docs Workflow env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-refname=${{ github.ref_name }} -f build-version=${{ needs.build-and-stage-release.outputs.version }} + REF_NAME: ${{ github.ref_name }} + run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-refname=${REF_NAME} -f build-version=${{ needs.build-and-stage-release.outputs.version }} create-github-release: name: Create GitHub Release needs: diff --git a/.github/workflows/trigger-docs-build.yml b/.github/workflows/trigger-docs-build.yml index 60a6f6e044a6..1ce3fff90d4f 100644 --- a/.github/workflows/trigger-docs-build.yml +++ b/.github/workflows/trigger-docs-build.yml @@ -32,4 +32,7 @@ jobs: - name: Trigger Workflow env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: gh workflow run deploy-docs.yml -r docs-build -f build-refname=${{ github.event.inputs.build-refname }} -f build-sha=${{ github.event.inputs.build-sha }} -f build-version=${{ github.event.inputs.build-version }} + INPUT_BUILD_REFNAME: ${{ github.event.inputs.build-refname }} + INPUT_BUILD_SHA: ${{ github.event.inputs.build-sha }} + INPUT_BUILD_VERSION: ${{ github.event.inputs.build-version }} + run: gh workflow run deploy-docs.yml -r docs-build -f build-refname=${INPUT_BUILD_REFNAME} -f build-sha=${INPUT_BUILD_SHA} -f build-version=${INPUT_BUILD_VERSION}