[DO NOT MERGE] Race condition fix for update workflow#9389
[DO NOT MERGE] Race condition fix for update workflow#9389
Conversation
…ransient wft being dropped, and to appendtransienttasks
![semgrep-managed-scans[bot]](https://avatars.githubusercontent.com/u/56493103?s=60&v=4){kind=small}
| run: | | ||
| REF="${{ inputs.ref }}" | ||
| if [[ "$REF" == "spk/update-premature-eos" ]] || [[ "${{ inputs.push }}" == "true" ]]; then | ||
| echo "should-push=true" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "should-push=false" >> "$GITHUB_OUTPUT" | ||
| fi | ||
| # Never tag as latest for the branch push | ||
| if [[ "$REF" == "spk/update-premature-eos" ]]; then | ||
| echo "effective-tag-latest=false" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "effective-tag-latest=${{ inputs.tag-latest }}" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
There was a problem hiding this comment.
Semgrep identified a blocking 🔴 issue in your code:
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection.
You can view more details about this finding in the Semgrep AppSec Platform.
| run: | | ||
| docker buildx bake \ | ||
| --push \ | ||
| -f docker/docker-bake.hcl \ | ||
| server admin-tools | ||
| if [ -n "${{ inputs.platform }}" ]; then | ||
| docker buildx bake \ | ||
| --push \ | ||
| --set "*.platform=${{ inputs.platform }}" \ | ||
| -f docker/docker-bake.hcl \ | ||
| server admin-tools | ||
| else | ||
| docker buildx bake \ | ||
| --push \ | ||
| -f docker/docker-bake.hcl \ | ||
| server admin-tools | ||
| fi |
There was a problem hiding this comment.
Semgrep identified a blocking 🔴 issue in your code:
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection.
You can view more details about this finding in the Semgrep AppSec Platform.
1 participant
What changed?
WISOTT
Why?
To come later
How did you test it?
Potential risks
Any change is risky. Identify all risks you are aware of. If none, remove this section.