diff --git a/.github/composite-actions/install/action.yml b/.github/composite-actions/install/action.yml index b6af10a..98b496e 100644 --- a/.github/composite-actions/install/action.yml +++ b/.github/composite-actions/install/action.yml @@ -59,15 +59,20 @@ runs: - name: Parse filter id: parse-filter shell: bash + env: + FILTER: ${{ inputs.filter }} run: | - echo "pnpm-filter-args=$(echo '"${{ inputs.filter }}"' | jq -r 'split(" ") | map(select(. != "")) | map("--filter " + .) | join(" ")')" >> "$GITHUB_OUTPUT" + echo "pnpm-filter-args=$(jq -rn --arg filter "$FILTER" '$filter | split(" ") | map(select(. != "")) | map("--filter " + .) | join(" ")')" >> "$GITHUB_OUTPUT" - name: Install dependencies shell: bash run: | - pnpm config set //vercel-private-registry.vercel.sh/:_authToken ${{ inputs.vercel-private-registry-token }} - # filter is a JSON string, so we need to parse it and pass it as separate arguments - pnpm ${{ steps.parse-filter.outputs.pnpm-filter-args }} install --frozen-lockfile + pnpm config set //vercel-private-registry.vercel.sh/:_authToken "$VERCEL_PRIVATE_REGISTRY_TOKEN" + # PNPM_FILTER_ARGS is intentionally unquoted: it contains multiple --filter + # arguments that must be word-split into separate flags. + # shellcheck disable=SC2086 + pnpm $PNPM_FILTER_ARGS install --frozen-lockfile env: NODE_AUTH_TOKEN: ${{ inputs.npm-token }} VERCEL_PRIVATE_REGISTRY_TOKEN: ${{ inputs.vercel-private-registry-token }} + PNPM_FILTER_ARGS: ${{ steps.parse-filter.outputs.pnpm-filter-args }} diff --git a/SECURITY.md b/SECURITY.md index efb3959..79ff886 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -5,3 +5,4 @@ If you believe you have found a security vulnerability, we encourage you to let We will investigate all legitimate reports and do our best to quickly fix the problem. Please report any vulnerabilities in our open source repositories to responsible.disclosure@vercel.com. +package-lock.json