Prevent shell injection (#7310)

2026-06-02 19:39:49 +09:00 · 2026-03-02 19:45:58 +09:00
parent 3865fdbf5b
commit 0a6a6f8ddb
3 changed files with 16 additions and 7 deletions
--- a/.github/workflows/pr-auto-commit.yaml
+++ b/.github/workflows/pr-auto-commit.yaml
@@ -93,8 +93,10 @@ jobs:

      - name: Push formatting changes
        if: steps.check-changes.outputs.has_changes == 'true'
+        env:
+          HEAD_REF: ${{ github.event.pull_request.head.ref }}
        run: |
-          git push origin HEAD:${{ github.event.pull_request.head.ref }}
+          git push origin "HEAD:${HEAD_REF}"

      - name: Read committed commands
        id: committed-commands
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -161,8 +161,9 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          tag: ${{ github.ref_name }}
          run: ${{ github.run_number }}
+          PRE_RELEASE_INPUT: ${{ github.event.inputs.pre-release }}
        run: |
-          if [[ "${{ github.event.inputs.pre-release }}" == "false" ]]; then
+          if [[ "${PRE_RELEASE_INPUT}" == "false" ]]; then
            RELEASE_TYPE_NAME=Release
            PRERELEASE_ARG=
          else
--- a/.github/workflows/update-doc-db.yml
+++ b/.github/workflows/update-doc-db.yml
@@ -61,7 +61,9 @@ jobs:
          token: ${{ secrets.AUTO_COMMIT_PAT }}

      - name: Create update branch
-        run: git switch -c update-doc-${{ inputs.python-version }}
+        env:
+          PYTHON_VERSION: ${{ inputs.python-version }}
+        run: git switch -c "update-doc-${PYTHON_VERSION}"

      - name: Download generated doc DBs
        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
@@ -71,6 +73,8 @@ jobs:
          merge-multiple: true

      - name: Transform JSON
+        env:
+          PYTHON_VERSION: ${{ inputs.python-version }}
        run: |
          # Merge all artifacts
          jq -s "add" --sort-keys crates/doc/generated/*.json > crates/doc/generated/merged.json
@@ -83,7 +87,7 @@ jobs:
          echo -n '' > $OUTPUT_FILE

          echo '// This file was auto-generated by `.github/workflows/update-doc-db.yml`.' >> $OUTPUT_FILE
-          echo "// CPython version: ${{ inputs.python-version }}" >> $OUTPUT_FILE
+          echo "// CPython version: ${PYTHON_VERSION}" >> $OUTPUT_FILE
          echo '// spell-checker: disable' >> $OUTPUT_FILE

          echo '' >> $OUTPUT_FILE
@@ -103,15 +107,17 @@ jobs:
      - name: Commit, push and create PR
        env:
          GH_TOKEN: ${{ secrets.AUTO_COMMIT_PAT }}
+          PYTHON_VERSION: ${{ inputs.python-version }}
+          BASE_REF: ${{ inputs.base-ref }}
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          if [ -n "$(git status --porcelain)" ]; then
            git add crates/doc/src/data.inc.rs
-            git commit -m "Update doc DB for CPython ${{ inputs.python-version }}"
+            git commit -m "Update doc DB for CPython ${PYTHON_VERSION}"
            git push -u origin HEAD
            gh pr create \
-              --base ${{ inputs.base-ref }} \
-              --title "Update doc DB for CPython ${{ inputs.python-version }}" \
+              --base "${BASE_REF}" \
+              --title "Update doc DB for CPython ${PYTHON_VERSION}" \
              --body "Auto-generated by update-doc-db workflow."
          fi