ci: mitigate script injection attack in test_weaver-pre-release.yaml

Fixes the script injection attack mentioned here: https://hackerone.com/reports/2471956 Signed-off-by: Sandeep Nishad <[email protected]>
sandeepnRES · Apr 25, 2024 · 5bd9504 · 5bd9504
1 parent a5ece69
commit 5bd9504
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/.github/workflows/test_weaver-pre-release.yaml b/.github/workflows/test_weaver-pre-release.yaml
@@ -6,6 +6,7 @@ name: Pre-release Test Weaver Module versions
 
 on:
   pull_request:
+    branches: [ main ]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -21,9 +22,11 @@ jobs:
 
       - name: Ignore if not a release PR
         id: early
+        env:
+          TITLE: ${{ github.event.pull_request.title }}
         run : |
           status="skip"
-          if echo "${{ github.event.pull_request.title }}" | grep -q "chore(release)"; then
+          if echo ${TITLE} | grep -q "chore(release)"; then
             status="continue"
           fi
           echo "status=$status" >> $GITHUB_OUTPUT
@@ -37,10 +40,12 @@ jobs:
       - uses: actions/[email protected]
 
       - name: Get release verison from PR title
+        env:
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           # Assuming release PR follows pattern: chore(release): publish vA.B.C
           # Split PR title by space, and take 3rd word
-          VERSION=$(echo "${{ github.event.pull_request.title }}" | cut -d ' ' -f 3)
+          VERSION=$(echo "${TITLE}" | cut -d ' ' -f 3)
           # Strip "v" from version
           VERSION=$(echo $VERSION | sed -e 's/^v//')
           echo "VERSION=$VERSION" >> $GITHUB_ENV
@@ -144,10 +149,12 @@ jobs:
       - uses: actions/[email protected]
 
       - name: Get release verison from PR title
+        env:
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           # Assuming release PR follows pattern: chore(release): publish vA.B.C
           # Split PR title by space, and take 3rd word
-          VERSION=$(echo "${{ github.event.pull_request.title }}" | cut -d ' ' -f 3)
+          VERSION=$(echo "${TITLE}" | cut -d ' ' -f 3)
           # Strip "v" from version
           VERSION=$(echo $VERSION | sed -e 's/^v//')
           echo "VERSION=$VERSION" >> $GITHUB_ENV