fix(ci): remove template injection on pull_request_target workflows#45956
Merged
Conversation
XciD
force-pushed
the
ci/fix-template-injection-and-quoting
branch
from
525e180 to
d2c9d19
Compare
Collaborator
|
@bot /style |
Contributor
|
Style fix fix runs successfully without any file modified. |
ArthurZucker
approved these changes
May 14, 2026
Replace every `error[template-injection]` finding flagged by zizmor with
the env-var pattern so PR-author/matrix/input-derived values cannot be
expanded into shell or `actions/github-script` JS source by GitHub
Actions templating.
Files touched:
- pr_slow_ci_suggestion.yml (`pull_request_target`): heredoc that
interpolated `PR_FILES` and JS bodies that interpolated
`PR_HEAD_REPO_OWNER/NAME/SHA`/`PR_NUMBER` now use `env:` + `process.env`.
- pr-repo-consistency-bot.yml (`issue_comment`): quoted all
`${PR_HEAD_REF}`/`${PR_HEAD_SHA}`/`${PR_HEAD_REPO_FULL_NAME}` shell
expansions; the final `Comment on PR` step also moved to `env:`.
- trl-ci-bot.yml (`issue_comment`): `github.event.issue.pull_request.url`
via env.
- get-pr-info.yml, check_failed_tests.yml: `inputs.pr_number` and
`inputs.commit_sha` passed via env, used as JS locals.
- collated-reports.yml: machine_type/job/report_repo_id/gpu_name via env
and quoted in the python invocation.
- model_jobs_intel_gaudi.yml: inputs.folder_slices / machine_type /
report_name_prefix and matrix.folders via env; report-directory name
built once and reused.
- self-scheduled-flash-attn-caller.yml: prev/other_workflow_run_id via
env before being written to disk.
- self-scheduled-intel-gaudi.yml: inputs.job via env; NUM_SLICES via env
inside `python3 -c`.
Zizmor 1.24.1: 22 `error[template-injection]` -> 0. `node --check` and
`bash -n` pass on every `run:` / `script:` block touched. Behavior
preserved: same values reach the same code paths, only the wiring
changed (templating -> env vars).
XciD
force-pushed
the
ci/fix-template-injection-and-quoting
branch
from
5f50aac to
3cf2947
Compare
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
jp1924
pushed a commit
to jp1924/transformers
that referenced
this pull request
May 18, 2026
…uggingface#45956) fix(ci): remove template injection across workflows Replace every `error[template-injection]` finding flagged by zizmor with the env-var pattern so PR-author/matrix/input-derived values cannot be expanded into shell or `actions/github-script` JS source by GitHub Actions templating. Files touched: - pr_slow_ci_suggestion.yml (`pull_request_target`): heredoc that interpolated `PR_FILES` and JS bodies that interpolated `PR_HEAD_REPO_OWNER/NAME/SHA`/`PR_NUMBER` now use `env:` + `process.env`. - pr-repo-consistency-bot.yml (`issue_comment`): quoted all `${PR_HEAD_REF}`/`${PR_HEAD_SHA}`/`${PR_HEAD_REPO_FULL_NAME}` shell expansions; the final `Comment on PR` step also moved to `env:`. - trl-ci-bot.yml (`issue_comment`): `github.event.issue.pull_request.url` via env. - get-pr-info.yml, check_failed_tests.yml: `inputs.pr_number` and `inputs.commit_sha` passed via env, used as JS locals. - collated-reports.yml: machine_type/job/report_repo_id/gpu_name via env and quoted in the python invocation. - model_jobs_intel_gaudi.yml: inputs.folder_slices / machine_type / report_name_prefix and matrix.folders via env; report-directory name built once and reused. - self-scheduled-flash-attn-caller.yml: prev/other_workflow_run_id via env before being written to disk. - self-scheduled-intel-gaudi.yml: inputs.job via env; NUM_SLICES via env inside `python3 -c`. Zizmor 1.24.1: 22 `error[template-injection]` -> 0. `node --check` and `bash -n` pass on every `run:` / `script:` block touched. Behavior preserved: same values reach the same code paths, only the wiring changed (templating -> env vars).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Eliminate every
error[template-injection]finding in.github/workflows/by routing PR-author / matrix / input-derived values throughenv:instead of GitHub Actions${{ ... }}rendering directly into shell oractions/github-scriptJS source.Zizmor 1.24.1: 22
error[template-injection]→ 0.Files touched
pull_request_target/issue_comment(highest exposure)pr_slow_ci_suggestion.yml(pull_request_target)PR_FILESwas placed inside a<< 'EOF'heredoc inrun:. The single-quoted heredoc only stops shell expansion after GitHub renders${{ ... }}; a filename containingEOF\n<payload>\nEOFwould escape the heredoc and run on the runner. Nowenv: { PR_FILES: ... }+printf '%s\n' "$PR_FILES".PR_HEAD_REPO_OWNER,PR_HEAD_REPO_NAME,PR_HEAD_SHA,PR_NUMBERwere interpolated directly intoactions/github-scriptscript bodies; moved toenv:+process.env.pr-repo-consistency-bot.yml(issue_comment, gated by maintainer allowlist)${PR_HEAD_REF},${PR_HEAD_SHA},${PR_HEAD_REPO_FULL_NAME}shell expansion ingit fetch,git checkout,git remote add,git push.Comment on PRstep now passescomment_idandfinal_commentviaenv:(no${{ ... }}left in the script body).trl-ci-bot.yml(issue_comment, gated byauthor_association)github.event.issue.pull_request.urlpassed via env. GitHub-controlled value, but principle is the same.Reusable workflows (callable from PR comment CI)
get-pr-info.yml:inputs.pr_numberpassed via env, shared between two API calls.check_failed_tests.yml:pr_number+commit_shapassed via env in the Extract base commit step.Reusable workflows (callable from scheduled / dispatched CI)
collated-reports.yml:machine_type,job,report_repo_id,gpu_nameexposed as env, quoted in the python invocation.model_jobs_intel_gaudi.yml:inputs.folder_slices,inputs.machine_type,inputs.report_name_prefix,matrix.folderspulled intoenv:; report-directory name built once and reused.self-scheduled-flash-attn-caller.yml:prev_workflow_run_id/other_workflow_run_idpassed via env before being written to disk.self-scheduled-intel-gaudi.yml:inputs.jobpassed via env;NUM_SLICESdereferenced via env in thepython3 -csnippet.Validation
error[template-injection]→ 0 across the whole.github/workflows/tree.node --checkon everyactions/github-scriptscript:body touched: ✅bash -non everyrun:block touched: ✅Out of scope (will be follow-up PRs)
actions/github-script@v6→@v7(handled by the pin-by-SHA PR chore(ci): pin all GitHub Actions and reusable workflows by SHA #45955).pr-repo-consistency-bot.yml:7invalidbranches-ignorefilter onissue_comment(pre-existing).secrets: inheritto explicit per-secret passing in the 17 callers.