Skip to content

Security: restrict workflow context#3124

Merged
yanyongyu merged 2 commits intomasterfrom
fix/website-preview
Nov 18, 2024
Merged

Security: restrict workflow context#3124
yanyongyu merged 2 commits intomasterfrom
fix/website-preview

Conversation

@yanyongyu
Copy link
Copy Markdown
Member

@yanyongyu yanyongyu commented Nov 17, 2024

Related to: GHSA-mjw5-7mvp-34wc

@yanyongyu yanyongyu added skip-changelog PR will not be included in changelog github_actions Pull requests that update GitHub Actions code labels Nov 17, 2024
polarathene
polarathene approved these changes Nov 17, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@polarathene polarathene left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

I'm not sure if anyone outside your organization members (and myself) can view the advisory linked. That might require me to update the "Affected products" section, but I'm not sure what I'd put there 😅

The change suggestions added from this review aren't too important, but often a good practice to refer to shell/env variables with ${ + }.

Comment thread .github/workflows/website-preview-cd.yml Outdated
Comment thread .github/workflows/website-preview-cd.yml Outdated
@polarathene
Copy link
Copy Markdown
Contributor

polarathene commented Nov 17, 2024
edited
Loading

You should be good to merge this PR as a fix, but I'll ping @pwntester from GHSL and he'll let you know if anything else needs to be addressed 👍

@polarathene polarathene mentioned this pull request Nov 17, 2024
Closed
6 tasks
pwntester
pwntester approved these changes Nov 18, 2024
View reviewed changes
Comment thread .github/workflows/website-preview-cd.yml Outdated
@yanyongyu yanyongyu merged commit 83552d6 into master Nov 18, 2024
@yanyongyu yanyongyu deleted the fix/website-preview branch November 18, 2024 15:09
@polarathene
Copy link
Copy Markdown
Contributor

polarathene commented Nov 18, 2024

Just to chime in about the recent change (that I didn't notice with my review, whoops! 😅 ), in the referenced advisory (not publicly viewable) I had shown the env configuration for usage with $GITHUB_OUTPUT, not $GITHUB_ENV where it'd have been unnecessary.

The advisory discussed a few options and I could probably have explained them more clearly.

@polarathene polarathene mentioned this pull request Nov 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StarHeartHunt StarHeartHunt StarHeartHunt approved these changes

+2 more reviewers

@pwntester pwntester pwntester approved these changes

@polarathene polarathene polarathene approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

github_actions Pull requests that update GitHub Actions code skip-changelog PR will not be included in changelog

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@yanyongyu @polarathene @pwntester @StarHeartHunt