ci: Fix CI workflows to prevent script injection by yiannistri · Pull Request #4046 · weaveworks/weave-gitops

yiannistri · 2023-09-29T12:28:22Z

What changed?
Introduced an intermediate environment variable to prevent script injection in CI workflows. See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable for more details.

Why was this change made?
To prevent script injection in CI. Also to address issues such as https://github.com/weaveworks/weave-gitops/security/code-scanning/3781

How was this change implemented?
By introducing an intermediate environment variable.

How did you validate the change?
CI

Release notes
N/A

Documentation Changes
N/A

… variable

yiannistri added 2 commits September 29, 2023 14:12

ci: Avoid script injection by introducing an intermediate environment…

96fd612

… variable

ci: Remove sed command for non-existent file

b323564

yiannistri force-pushed the fix-dangerous-workflows branch from 9921447 to b323564 Compare September 29, 2023 13:13

yiannistri requested a review from yitsushi September 29, 2023 13:15

yitsushi approved these changes Sep 29, 2023

View reviewed changes

yiannistri merged commit 9281d45 into main Sep 29, 2023

yiannistri deleted the fix-dangerous-workflows branch September 29, 2023 16:01

foot mentioned this pull request Oct 9, 2023

Fixes staging-docs #4070

Merged

weave-gitops-bot mentioned this pull request Oct 11, 2023

Updates for 0.34.0 #4075

Merged

yiannistri mentioned this pull request Oct 11, 2023

Fix Slack notification for a new release #4076

Closed

weave-gitops-bot mentioned this pull request Oct 25, 2023

Updates for 0.35.0 #4101

Merged

weave-gitops-bot mentioned this pull request Jan 2, 2025

WIP - Do not merge - Updates for 0.39.0-rc.1 #4370

Closed

Provide feedback