Skip to content

Commit e046a1f

Browse files
staaldraadstaaldraad
authored
chore: workflow cleanup (#70)
## What kind of change does this PR introduce? Bug fix, and maintenance to CI ## What is the current behavior? The `github.event` could include shell characters such as ``` in the commit message, which would be interpreted by the shell and can lead to unexpected code execution. Dependabot PRs break because of commit title rules, skip. ## What is the new behavior? Uses intermediate file for getting `github.event` information. Direct shell interpretation doesn't escape special characters, which can cause problems or lead to code execution. Skips the job for dependabot PRs.
1 parent 99041b2 commit e046a1f

File tree

2 files changed

+13
-9
lines changed

2 files changed

+13
-9
lines changed

.github/workflows/conventional-commits-lint.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ const ALLOWED_CONVENTIONAL_COMMIT_PREFIXES = [
1616
];
1717

1818
const object = process.argv[2];
19-
const payload = JSON.parse(fs.readFileSync(process.stdin.fd, "utf-8"));
19+
const payload = JSON.parse(fs.readFileSync(process.argv[3], "utf-8"));
2020

2121
let validate = [];
2222

.github/workflows/conventional-commits.yml

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -16,10 +16,15 @@ on:
1616
- reopened
1717
- ready_for_review
1818

19+
permissions:
20+
contents: read
21+
1922
jobs:
2023
check-conventional-commits:
2124
runs-on: ubuntu-latest
22-
25+
if: github.actor != 'dependabot[bot]' # skip for dependabot PRs
26+
env:
27+
EVENT: ${{ toJSON(github.event) }}
2328
steps:
2429
- uses: actions/checkout@v4
2530
with:
@@ -29,15 +34,14 @@ jobs:
2934
- if: ${{ github.event_name == 'pull_request_target' }}
3035
run: |
3136
set -ex
32-
33-
node .github/workflows/conventional-commits-lint.js pr <<EOF
34-
${{ toJSON(github.event) }}
35-
EOF
37+
TMP_FILE=$(mktemp)
38+
echo "${EVENT}" > "$TMP_FILE"
39+
node .github/workflows/conventional-commits-lint.js pr "${TMP_FILE}"
3640
3741
- if: ${{ github.event_name == 'push' }}
3842
run: |
3943
set -ex
4044
41-
node .github/workflows/conventional-commits-lint.js push <<EOF
42-
${{ toJSON(github.event) }}
43-
EOF
45+
TMP_FILE=$(mktemp)
46+
echo "${EVENT}" > "$TMP_FILE"
47+
node .github/workflows/conventional-commits-lint.js push "${TMP_FILE}"

0 commit comments

Comments
 (0)