Changeset 59679 for trunk/.github/workflows/pull-request-comments.yml

Timestamp:

01/22/2025 03:13:21 PM (17 months ago)

Author:

johnbillion

Message:

Build/Test Tools: Improve the security and correctness of the GitHub Actions workflows files.

This includes removing use of dangerous inline GitHub Actions expressions, preventing word splitting, further tightening permissions, and generally improving many aspects of the workflows.

This also introduces a new workflow that runs Actionlint to detect incorrect and insecure code and configuration in workflow files.

Props johnbillion, swissspidy, flixos90, desrosj.

See #62221

File:

• trunk/.github/workflows/pull-request-comments.yml (modified) (2 diffs)

trunk/.github/workflows/pull-request-comments.yml

@@ -97 +97 @@
                owner: context.repo.owner,
                repo: context.repo.repo,
-               run_id: ${{ github.event.workflow_run.id }},
+               run_id: process.env.RUN_ID,
             } );
 
@@ -118 +118 @@
             const fs = require( 'fs' );
             fs.writeFileSync( '${{github.workspace}}/pr-number.zip', Buffer.from( download.data ) )
+        env:
+          RUN_ID: ${{ github.event.workflow_run.id }}
 
       - name: Unzip the artifact containing the PR number