Skip to content

Commit

Permalink
chore: workflow cleanup
Browse files Browse the repository at this point in the history
Uses intermediate file for getting github.event information. Direct
shell interpretation doesn't escape special characters, which can cause
problems or lead to code execution. Skips the job for dependabot PRs.
  • Loading branch information
staaldraad committed Oct 8, 2024
1 parent 47e5f16 commit 7fa84a3
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 9 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/conventional-commits-lint.js
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ const ALLOWED_CONVENTIONAL_COMMIT_PREFIXES = [
];

const object = process.argv[2];
const payload = JSON.parse(fs.readFileSync(process.stdin.fd, "utf-8"));
const payload = JSON.parse(fs.readFileSync(process.argv[3], "utf-8"));

let validate = [];

Expand Down
18 changes: 10 additions & 8 deletions .github/workflows/conventional-commits.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,13 @@ on:
- reopened
- ready_for_review

permissions:
contents: read

jobs:
check-conventional-commits:
runs-on: ubuntu-latest

if: github.actor != 'dependabot[bot]' # skip for dependabot PRs
steps:
- uses: actions/checkout@v4
with:
Expand All @@ -29,15 +32,14 @@ jobs:
- if: ${{ github.event_name == 'pull_request_target' }}
run: |
set -ex
node .github/workflows/conventional-commits-lint.js pr <<EOF
${{ toJSON(github.event) }}
EOF
TMP_FILE=$(mktemp)
echo '${{ toJSON(github.event) }}' > "$TMP_FILE"
node .github/workflows/conventional-commits-lint.js pr "$TMP_FILE"
- if: ${{ github.event_name == 'push' }}
run: |
set -ex
node .github/workflows/conventional-commits-lint.js push <<EOF
${{ toJSON(github.event) }}
EOF
TMP_FILE=$(mktemp)
echo '${{ toJSON(github.event) }}' > "$TMP_FILE"
node .github/workflows/conventional-commits-lint.js push "$TMP_FILE"

0 comments on commit 7fa84a3

Please sign in to comment.