From 96fd6120798ebed80c46c631d01fe5028fb665fa Mon Sep 17 00:00:00 2001
From: yiannis <yiannis@weave.works>
Date: Fri, 29 Sep 2023 13:08:00 +0100
Subject: [PATCH 1/2] ci: Avoid script injection by introducing an intermediate
 environment variable

---
 .github/workflows/docs.yaml    |  7 +++++--
 .github/workflows/release.yaml | 12 +++++++++---
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index 94ed241177..269f8bb1fc 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -33,6 +33,7 @@ jobs:
           GA_KEY: "dummy"
           ALGOLIA_API_KEY: ${{ secrets.ALGOLIA_API_KEY }}
           NODE_OPTIONS: "--max-old-space-size=4096"
+          GITHUB_HEAD_REF: ${{ github.head_ref }}
         run: |
           if [ -e yarn.lock ]; then
           yarn install --frozen-lockfile
@@ -42,7 +43,7 @@ jobs:
           npm i
           fi
           sed -i 's#url:.*$#url: "https://staging.docs.gitops.weave.works",#' docusaurus.config.js
-          sed -i 's#baseUrl:.*$#baseUrl: "/${{ github.head_ref }}/",#' docusaurus.config.js
+          sed -i 's#baseUrl:.*$#baseUrl: "/$GITHUB_HEAD_REF/",#' docusaurus.config.js
           yarn clear
           npm run build
       - id: auth
@@ -58,6 +59,8 @@ jobs:
           headers: |-
             cache-control: no-cache
       - id: add-docs-status
+        env:
+          GITHUB_HEAD_REF: ${{ github.head_ref }}
         run: |
           curl --request POST \
             --url https://api.github.com/repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }} \
@@ -66,7 +69,7 @@ jobs:
             --data '{
               "state": "success",
               "context": "Doc site preview",
-              "target_url": "https://staging.docs.gitops.weave.works/${{ github.head_ref }}"
+              "target_url": "https://staging.docs.gitops.weave.works/$GITHUB_HEAD_REF"
               }' \
             --fail
 
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 8bae072d8c..ef76f161f2 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -22,8 +22,10 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Find release version
         id: release-version
+        env:
+          GITHUB_EVENT_PULL_REQUEST_HEAD_REF: ${{ github.event.pull_request.head.ref }}
         run: |
-          version=$(echo ${{ github.event.pull_request.head.ref }} | cut -d'/' -f2)
+          version=$(echo $GITHUB_EVENT_PULL_REQUEST_HEAD_REF | cut -d'/' -f2)
           echo "::set-output name=version::$version"
       - name: Set tag
         run: |
@@ -125,8 +127,10 @@ jobs:
         with:
           node-version: 16.X
       - name: Set env var
+        env:
+          GITHUB_EVENT_PULL_REQUEST_HEAD_REF: ${{ github.event.pull_request.head.ref }}
         run: |
-          echo "BRANCH=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
+          echo "BRANCH=$GITHUB_EVENT_PULL_REQUEST_HEAD_REF" >> $GITHUB_ENV
           echo "GORELEASER_PREVIOUS_TAG=$(git describe --abbrev=0 --tags $(git rev-list --tags --skip=1 --max-count=1))" >> $GITHUB_ENV
           echo "GORELEASER_CURRENT_TAG=${{ needs.tag-release.outputs.version }}" >> $GITHUB_ENV
           echo "DEV_BUCKET_CONTAINER_IMAGE=$(make echo-dev-bucket-container)" >> $GITHUB_ENV
@@ -140,9 +144,11 @@ jobs:
         run: cat .goreleaser.brew.yml >> .goreleaser.yml
         if: ${{ !contains(github.event.pull_request.head.ref, '-') }}
       - name: Store changelog
+        env:
+          GITHUB_EVENT_PULL_REQUEST_BODY: ${{ github.event.pull_request.body }}
         run: |
           cat > ${{ runner.temp }}/changelog.md <<'END_OF_CHANGELOG'
-          ${{ github.event.pull_request.body }}
+          $GITHUB_EVENT_PULL_REQUEST_BODY
           END_OF_CHANGELOG
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v3

From b32356466cb58d6a3458f1e64c1113ae44c51a32 Mon Sep 17 00:00:00 2001
From: yiannis <yiannis@weave.works>
Date: Fri, 29 Sep 2023 14:08:43 +0100
Subject: [PATCH 2/2] ci: Remove sed command for non-existent file

---
 .github/workflows/upgrade-flux.yaml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/upgrade-flux.yaml b/.github/workflows/upgrade-flux.yaml
index 81131df817..983eb87c10 100644
--- a/.github/workflows/upgrade-flux.yaml
+++ b/.github/workflows/upgrade-flux.yaml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "0 10 * * *"
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+
 jobs:
   has-new-flux:
     runs-on: ubuntu-latest
@@ -39,11 +42,6 @@ jobs:
           sed -i 's/^FLUX_VERSION=.*/FLUX_VERSION=${{ needs.has-new-flux.outputs.version }}/' Makefile
           go get -u github.com/fluxcd/flux2
           go mod tidy
-          # Extract e.g. 0.34 from 0.34.5
-          series="$(echo ${{ needs.has-new-flux.outputs.version }} | awk 'BEGIN{FS=OFS="."} NF--')"
-          if ! grep -qe "^\* $series$" website/docs/installation.mdx; then
-            sed -i -e "/Flux releases:$/,/^$/ s/^$/* $series\n/" website/docs/installation.mdx
-          fi
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v3
         with: