From fe826b1a4a2119539c1a5798ce5b38c30d4cfd15 Mon Sep 17 00:00:00 2001 From: dagecko Date: Fri, 27 Mar 2026 19:03:16 -0400 Subject: [PATCH 1/2] fix: pin 0 actions to commit SHA, extract 10 expressions to env vars --- .github/workflows/build-and-deploy-snapshot.yml | 3 ++- .github/workflows/distribute.yml | 11 +++++++++-- .github/workflows/release-milestone.yml | 3 ++- .github/workflows/release.yml | 3 ++- .github/workflows/trigger-docs-build.yml | 5 ++++- 5 files changed, 19 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-and-deploy-snapshot.yml b/.github/workflows/build-and-deploy-snapshot.yml index dbcffad1b965..0e247b6a0b4f 100644 --- a/.github/workflows/build-and-deploy-snapshot.yml +++ b/.github/workflows/build-and-deploy-snapshot.yml @@ -60,7 +60,8 @@ jobs: - name: Run Deploy Docs Workflow env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-sha=${{ github.sha }} -f build-refname=${{ github.ref_name }} -f build-version=${{ needs.build-and-deploy-snapshot.outputs.version }} + REF_NAME: ${{ github.ref_name }} + run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-sha=${{ github.sha }} -f build-refname=${REF_NAME} -f build-version=${{ needs.build-and-deploy-snapshot.outputs.version }} verify: name: Verify needs: build-and-deploy-snapshot diff --git a/.github/workflows/distribute.yml b/.github/workflows/distribute.yml index e8462178fe5c..3c2813f8b7f8 100644 --- a/.github/workflows/distribute.yml +++ b/.github/workflows/distribute.yml @@ -25,11 +25,14 @@ jobs: if: ${{ vars.COMMERCIAL && inputs.create-bundle }} shell: bash run: | - curl -s -u "${{ secrets.COMMERCIAL_ARTIFACTORY_USERNAME }}:${{ secrets.COMMERCIAL_ARTIFACTORY_PASSWORD }}" \ + curl -s -u "${COMMERCIAL_ARTIFACTORY_USERNAME}:${COMMERCIAL_ARTIFACTORY_PASSWORD}" \ -X POST -H "X-JFrog-Signing-Key-Name: packagesKey" -H "Content-Type: application/json" \ "https://usw1.packages.broadcom.com/lifecycle/api/v2/release_bundle?project=spring" \ -d '{"release_bundle_name": "TNZ-spring-boot-commercial", "release_bundle_version": "${{ inputs.version }}", "skip_docker_manifest_resolution": true, "source_type": "builds", "source": {"builds": [ {"build_repository": "spring-build-info", "build_name": "spring-boot-commercial-${{ inputs.version }}", "build_number": "${{ inputs.build-number }}", "include_dependencies": false}]}}' | \ jq -e 'if has("repository_key") then . else halt_error end' + env: + COMMERCIAL_ARTIFACTORY_USERNAME: ${{ secrets.COMMERCIAL_ARTIFACTORY_USERNAME }} + COMMERCIAL_ARTIFACTORY_PASSWORD: ${{ secrets.COMMERCIAL_ARTIFACTORY_PASSWORD }} - name: Sleep if: ${{ vars.COMMERCIAL && inputs.create-bundle }} shell: bash @@ -38,8 +41,12 @@ jobs: if: ${{ vars.COMMERCIAL }} shell: bash run: | - curl -s -u "${{ secrets.COMMERCIAL_ARTIFACTORY_USERNAME }}:${{ secrets.COMMERCIAL_ARTIFACTORY_PASSWORD }}" \ + curl -s -u "${COMMERCIAL_ARTIFACTORY_USERNAME}:${COMMERCIAL_ARTIFACTORY_PASSWORD}" \ -X POST -H "Content-Type: application/json" \ "https://usw1.packages.broadcom.com/lifecycle/api/v2/distribution/distribute/TNZ-spring-boot-commercial/${{ inputs.version }}?project=spring" \ -d '{"auto_create_missing_repositories": "false", "distribution_rules": [{"site_name": "JP-SaaS"}], "modifications": {"mappings": [{"input": "spring-enterprise-maven-prod-local/(.*)", "output": "spring-enterprise/$1"}]}}' | \ jq -e 'if has("id") then . else halt_error end' + + env: + COMMERCIAL_ARTIFACTORY_USERNAME: ${{ secrets.COMMERCIAL_ARTIFACTORY_USERNAME }} + COMMERCIAL_ARTIFACTORY_PASSWORD: ${{ secrets.COMMERCIAL_ARTIFACTORY_PASSWORD }} \ No newline at end of file diff --git a/.github/workflows/release-milestone.yml b/.github/workflows/release-milestone.yml index 4d1bf14026c0..98bbf8d5f185 100644 --- a/.github/workflows/release-milestone.yml +++ b/.github/workflows/release-milestone.yml @@ -110,7 +110,8 @@ jobs: - name: Run Deploy Docs Workflow env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-refname=${{ github.ref_name }} -f build-version=${{ needs.build-and-stage-release.outputs.version }} + REF_NAME: ${{ github.ref_name }} + run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-refname=${REF_NAME} -f build-version=${{ needs.build-and-stage-release.outputs.version }} create-github-release: name: Create GitHub Release needs: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9c4474949206..bf30be83433d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -156,7 +156,8 @@ jobs: - name: Run Deploy Docs Workflow env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-refname=${{ github.ref_name }} -f build-version=${{ needs.build-and-stage-release.outputs.version }} + REF_NAME: ${{ github.ref_name }} + run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-refname=${REF_NAME} -f build-version=${{ needs.build-and-stage-release.outputs.version }} create-github-release: name: Create GitHub Release needs: diff --git a/.github/workflows/trigger-docs-build.yml b/.github/workflows/trigger-docs-build.yml index 60a6f6e044a6..1ce3fff90d4f 100644 --- a/.github/workflows/trigger-docs-build.yml +++ b/.github/workflows/trigger-docs-build.yml @@ -32,4 +32,7 @@ jobs: - name: Trigger Workflow env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: gh workflow run deploy-docs.yml -r docs-build -f build-refname=${{ github.event.inputs.build-refname }} -f build-sha=${{ github.event.inputs.build-sha }} -f build-version=${{ github.event.inputs.build-version }} + INPUT_BUILD_REFNAME: ${{ github.event.inputs.build-refname }} + INPUT_BUILD_SHA: ${{ github.event.inputs.build-sha }} + INPUT_BUILD_VERSION: ${{ github.event.inputs.build-version }} + run: gh workflow run deploy-docs.yml -r docs-build -f build-refname=${INPUT_BUILD_REFNAME} -f build-sha=${INPUT_BUILD_SHA} -f build-version=${INPUT_BUILD_VERSION} From c20667d182ddf3ed08bae37b3f37923673395add Mon Sep 17 00:00:00 2001 From: dagecko Date: Sat, 28 Mar 2026 12:36:18 -0400 Subject: [PATCH 2/2] fix: properly quote env var references to prevent shell injection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per review feedback from @wilkinsona — unquoted env vars are still vulnerable to shell injection. Adding double quotes around all env var references in command arguments. --- .github/workflows/build-and-deploy-snapshot.yml | 2 +- .github/workflows/release-milestone.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/trigger-docs-build.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-and-deploy-snapshot.yml b/.github/workflows/build-and-deploy-snapshot.yml index 0e247b6a0b4f..5930e9583542 100644 --- a/.github/workflows/build-and-deploy-snapshot.yml +++ b/.github/workflows/build-and-deploy-snapshot.yml @@ -61,7 +61,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} REF_NAME: ${{ github.ref_name }} - run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-sha=${{ github.sha }} -f build-refname=${REF_NAME} -f build-version=${{ needs.build-and-deploy-snapshot.outputs.version }} + run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-sha=${{ github.sha }} -f build-refname="${REF_NAME}" -f build-version=${{ needs.build-and-deploy-snapshot.outputs.version }} verify: name: Verify needs: build-and-deploy-snapshot diff --git a/.github/workflows/release-milestone.yml b/.github/workflows/release-milestone.yml index 98bbf8d5f185..3b456607de00 100644 --- a/.github/workflows/release-milestone.yml +++ b/.github/workflows/release-milestone.yml @@ -111,7 +111,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} REF_NAME: ${{ github.ref_name }} - run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-refname=${REF_NAME} -f build-version=${{ needs.build-and-stage-release.outputs.version }} + run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-refname="${REF_NAME}" -f build-version=${{ needs.build-and-stage-release.outputs.version }} create-github-release: name: Create GitHub Release needs: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bf30be83433d..72f408af1e70 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -157,7 +157,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} REF_NAME: ${{ github.ref_name }} - run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-refname=${REF_NAME} -f build-version=${{ needs.build-and-stage-release.outputs.version }} + run: gh workflow run deploy-docs.yml --repo ${{ github.repository }} -r docs-build -f build-refname="${REF_NAME}" -f build-version=${{ needs.build-and-stage-release.outputs.version }} create-github-release: name: Create GitHub Release needs: diff --git a/.github/workflows/trigger-docs-build.yml b/.github/workflows/trigger-docs-build.yml index 1ce3fff90d4f..0ff67c8a95a6 100644 --- a/.github/workflows/trigger-docs-build.yml +++ b/.github/workflows/trigger-docs-build.yml @@ -35,4 +35,4 @@ jobs: INPUT_BUILD_REFNAME: ${{ github.event.inputs.build-refname }} INPUT_BUILD_SHA: ${{ github.event.inputs.build-sha }} INPUT_BUILD_VERSION: ${{ github.event.inputs.build-version }} - run: gh workflow run deploy-docs.yml -r docs-build -f build-refname=${INPUT_BUILD_REFNAME} -f build-sha=${INPUT_BUILD_SHA} -f build-version=${INPUT_BUILD_VERSION} + run: gh workflow run deploy-docs.yml -r docs-build -f build-refname="${INPUT_BUILD_REFNAME}" -f build-sha="${INPUT_BUILD_SHA}" -f build-version="${INPUT_BUILD_VERSION}"