From 36e8bfb491d127d739bca31182a2f82658a4dfc5 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 8 Oct 2024 09:48:13 +0200 Subject: [PATCH] chore: workflow cleanup Uses intermediate file for getting github.event information. Direct shell interpretation doesn't escape special characters (such as `), which can cause problems or lead to code execution. Skips the job for dependabot PRs. --- .../workflows/conventional-commits-lint.js | 2 +- .github/workflows/conventional-commits.yml | 20 +++++++++++-------- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/.github/workflows/conventional-commits-lint.js b/.github/workflows/conventional-commits-lint.js index da9b388..8eb4e45 100644 --- a/.github/workflows/conventional-commits-lint.js +++ b/.github/workflows/conventional-commits-lint.js @@ -16,7 +16,7 @@ const ALLOWED_CONVENTIONAL_COMMIT_PREFIXES = [ ]; const object = process.argv[2]; -const payload = JSON.parse(fs.readFileSync(process.stdin.fd, "utf-8")); +const payload = JSON.parse(fs.readFileSync(process.argv[3], "utf-8")); let validate = []; diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml index 71e0e1d..3ffa068 100644 --- a/.github/workflows/conventional-commits.yml +++ b/.github/workflows/conventional-commits.yml @@ -16,10 +16,15 @@ on: - reopened - ready_for_review +permissions: + contents: read + jobs: check-conventional-commits: runs-on: ubuntu-latest - + if: github.actor != 'dependabot[bot]' # skip for dependabot PRs + env: + EVENT: ${{ toJSON(github.event) }} steps: - uses: actions/checkout@v4 with: @@ -29,15 +34,14 @@ jobs: - if: ${{ github.event_name == 'pull_request_target' }} run: | set -ex - - node .github/workflows/conventional-commits-lint.js pr < "$TMP_FILE" + node .github/workflows/conventional-commits-lint.js pr "${TMP_FILE}" - if: ${{ github.event_name == 'push' }} run: | set -ex - node .github/workflows/conventional-commits-lint.js push < "$TMP_FILE" + node .github/workflows/conventional-commits-lint.js push "${TMP_FILE}"