[DO NOT MERGE] Race condition fix for update workflow #9389
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -59,29 +59,45 @@ jobs: | |
| echo "single-arch=" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
||
| - name: Compute push parameters | ||
| id: push-params | ||
| run: | | ||
| REF="${{ inputs.ref }}" | ||
| if [[ "$REF" == "spk/update-premature-eos" ]] || [[ "${{ inputs.push }}" == "true" ]]; then | ||
| echo "should-push=true" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "should-push=false" >> "$GITHUB_OUTPUT" | ||
| fi | ||
| # Never tag as latest for the branch push | ||
| if [[ "$REF" == "spk/update-premature-eos" ]]; then | ||
| echo "effective-tag-latest=false" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "effective-tag-latest=${{ inputs.tag-latest }}" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
||
|
Comment on lines
+64
to
+77
There was a problem hiding this comment. Semgrep identified a blocking 🔴 issue in your code: To resolve this comment: 🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods. 💬 Ignore this findingReply with Semgrep commands to ignore this finding.
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection. You can view more details about this finding in the Semgrep AppSec Platform. |
||
| - name: Build binaries | ||
| uses: ./.github/actions/build-binaries | ||
| with: | ||
| snapshot: ${{ inputs.snapshot }} | ||
| single-arch: ${{ steps.arch-param.outputs.single-arch }} | ||
|
|
||
| - name: Build Docker images | ||
| if: ${{ steps.push-params.outputs.should-push != 'true' }} | ||
| uses: ./.github/actions/build-docker-images | ||
| with: | ||
| push: false | ||
| tag-latest: ${{ steps.push-params.outputs.effective-tag-latest }} | ||
| platform: ${{ inputs.platform }} | ||
| cli-version: ${{ inputs.cli-version }} | ||
| alpine-tag: ${{ inputs.alpine-tag }} | ||
| load: ${{ inputs.platform == 'linux/amd64' || inputs.platform == '' }} | ||
|
|
||
| - name: Build and push Docker images | ||
| if: ${{ steps.push-params.outputs.should-push == 'true' }} | ||
| uses: ./.github/actions/build-docker-images | ||
| with: | ||
| push: true | ||
| tag-latest: ${{ steps.push-params.outputs.effective-tag-latest }} | ||
| platform: ${{ inputs.platform }} | ||
| cli-version: ${{ inputs.cli-version }} | ||
| alpine-tag: ${{ inputs.alpine-tag }} | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Semgrep identified a blocking 🔴 issue in your code:
Using variable interpolation
${{...}}withgithubcontext data in arun:step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code.githubcontext data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable withenv:to store the data and use the environment variable in therun:script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasonsAlternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection.
You can view more details about this finding in the Semgrep AppSec Platform.