Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: restrict workflow context #3124

Merged
merged 2 commits into from
Nov 18, 2024
Merged

Security: restrict workflow context #3124

merged 2 commits into from
Nov 18, 2024

Conversation

yanyongyu
Copy link
Member

Related to: GHSA-mjw5-7mvp-34wc

@yanyongyu yanyongyu added skip-changelog PR will not be included in changelog github_actions Pull requests that update GitHub Actions code labels Nov 17, 2024
polarathene
polarathene approved these changes Nov 17, 2024
View reviewed changes
Copy link
Contributor

@polarathene polarathene left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

I'm not sure if anyone outside your organization members (and myself) can view the advisory linked. That might require me to update the "Affected products" section, but I'm not sure what I'd put there 😅

The change suggestions added from this review aren't too important, but often a good practice to refer to shell/env variables with ${ + }.

.github/workflows/website-preview-cd.yml Outdated Show resolved Hide resolved
.github/workflows/website-preview-cd.yml Outdated Show resolved Hide resolved
@polarathene
Copy link
Contributor

polarathene commented Nov 17, 2024
edited
Loading

You should be good to merge this PR as a fix, but I'll ping @pwntester from GHSL and he'll let you know if anything else needs to be addressed 👍

@polarathene polarathene mentioned this pull request Nov 17, 2024
Closed
6 tasks
pwntester
pwntester approved these changes Nov 18, 2024
View reviewed changes
.github/workflows/website-preview-cd.yml Outdated Show resolved Hide resolved
@yanyongyu yanyongyu merged commit 83552d6 into master Nov 18, 2024
9 of 10 checks passed
@yanyongyu yanyongyu deleted the fix/website-preview branch November 18, 2024 15:09
@polarathene
Copy link
Contributor

Just to chime in about the recent change (that I didn't notice with my review, whoops! 😅 ), in the referenced advisory (not publicly viewable) I had shown the env configuration for usage with $GITHUB_OUTPUT, not $GITHUB_ENV where it'd have been unnecessary.

The advisory discussed a few options and I could probably have explained them more clearly.

@polarathene polarathene mentioned this pull request Nov 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pwntester pwntester pwntester approved these changes

@StarHeartHunt StarHeartHunt StarHeartHunt approved these changes

@polarathene polarathene polarathene approved these changes

Assignees
No one assigned
Labels
github_actions Pull requests that update GitHub Actions code skip-changelog PR will not be included in changelog
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@yanyongyu @polarathene @pwntester @StarHeartHunt