Skip to content

Commit 6b714ec

Browse files
EdwardAngertEdwardAngert
committed
fix: secure GitHub Actions workflow to pass actionlint
- Follow security best practice for GitHub Actions - Pass potentially untrusted context values via environment variables - Fixes actionlint warning about using github.head_ref directly in scripts
1 parent b2ffe85 commit 6b714ec

File tree

1 file changed

+13
-7
lines changed

1 file changed

+13
-7
lines changed

.github/workflows/docs-unified.yaml

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -250,27 +250,33 @@ jobs:
250250
# Extract context information for PR/branch
251251
- name: Extract context information
252252
id: context-info
253+
env:
254+
INPUT_PR_NUMBER: ${{ inputs.pr-number }}
255+
GITHUB_EVENT_NAME: ${{ github.event_name }}
256+
GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}
257+
GITHUB_HEAD_REF: ${{ github.head_ref }}
258+
GITHUB_REF_NAME: ${{ github.ref_name }}
253259
shell: bash
254260
run: |
255261
echo "::group::Extracting context information"
256262
257263
# Extract PR number from inputs or context
258-
if [ -n "${{ inputs.pr-number }}" ]; then
259-
PR_NUMBER="${{ inputs.pr-number }}"
264+
if [ -n "$INPUT_PR_NUMBER" ]; then
265+
PR_NUMBER="$INPUT_PR_NUMBER"
260266
echo "::notice::Using PR number from action input: #${PR_NUMBER}"
261-
elif [ "${{ github.event_name }}" == "pull_request" ]; then
262-
PR_NUMBER="${{ github.event.pull_request.number }}"
267+
elif [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
268+
PR_NUMBER="$GITHUB_PR_NUMBER"
263269
echo "::notice::Using PR number from event context: #${PR_NUMBER}"
264270
else
265271
echo "::notice::No PR number available. Features requiring PR number will be disabled."
266272
PR_NUMBER=""
267273
fi
268274
269275
# Extract branch information (used for preview URLs)
270-
if [ "${{ github.event_name }}" == "pull_request" ]; then
271-
BRANCH_NAME="${{ github.head_ref }}"
276+
if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
277+
BRANCH_NAME="$GITHUB_HEAD_REF"
272278
else
273-
BRANCH_NAME="${{ github.ref_name }}"
279+
BRANCH_NAME="$GITHUB_REF_NAME"
274280
fi
275281
276282
# Sanitize branch name for URLs

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy