Merge pull request #19253 from smoser/cleanup/better-shell-protection

Be safer with here docs in docker-run and lint-world actions.
wolfi-dev · May 14, 2024 · 140ca64 · 140ca64
2 parents 58c83b3 + d2aab72
commit 140ca64
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 13 deletions.
diff --git a/.github/actions/docker-run/action.yaml b/.github/actions/docker-run/action.yaml
@@ -39,7 +39,7 @@ runs:
           -e GOOGLE_GHA_CREDS_PATH=${GOOGLE_GHA_CREDS_PATH} \
           -i \
           ${{ inputs.opts }} \
-          ${{ inputs.image }} <<EOF
+          ${{ inputs.image }} <<"_END_DOCKER_RUN"
         set -e
         ${{ inputs.run }}
-        EOF
+        _END_DOCKER_RUN
diff --git a/.github/workflows/build-beta.yaml b/.github/workflows/build-beta.yaml
@@ -75,7 +75,7 @@ jobs:
 
             # This is to avoid fatal errors about "dubious ownership" because we are
             # running inside of a container action with the workspace mounted in.
-            git config --global --add safe.directory "\$(pwd)"
+            git config --global --add safe.directory "$PWD"
 
             make local-melange.rsa
 

diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
@@ -145,8 +145,8 @@ jobs:
 
             mkdir -p .melangecache
             for package in ${{needs.changes.outputs.packages}}; do
-              make MELANGE_EXTRA_OPTS="--create-build-log --cache-dir=.melangecache" REPO="./packages" package/\$package -j1
-              make MELANGE_EXTRA_OPTS="--runner docker" REPO="./packages" "test/\$package" -j1
+              make MELANGE_EXTRA_OPTS="--create-build-log --cache-dir=.melangecache" REPO="./packages" package/$package -j1
+              make MELANGE_EXTRA_OPTS="--runner docker" REPO="./packages" "test/$package" -j1
             done
 
       - name: "Check that packages can be installed with apk add"
@@ -165,9 +165,9 @@ jobs:
             apk update --root /tmp/emptyroot
 
             # Find .apk files and add them to the string
-            for f in \$(find packages -name '*.apk'); do
-                tar -Oxf \$f .PKGINFO
-                apk add --root /tmp/emptyroot --repository "./packages" --allow-untrusted --simulate \$f
+            for f in $(find packages -name '*.apk'); do
+                tar -Oxf "$f" .PKGINFO
+                apk add --root /tmp/emptyroot --repository "./packages" --allow-untrusted --simulate "$f"
             done
 
       - name: Reset file permissions
@@ -179,9 +179,9 @@ jobs:
         with:
           run: |
             apk add py3-ntia-conformance-checker spdx-tools-java
-            for f in \$(find packages -name '*.apk'); do
-                echo ==== Checking SBOM for \$f ====
-                tar -Oxf \$f var/lib/db/sbom/ > sbom.json
+            for f in $(find packages -name '*.apk'); do
+                echo "==== Checking SBOM for $f ===="
+                tar -Oxf "$f" var/lib/db/sbom/ > sbom.json
                 echo ::group::sbom.json
                 cat sbom.json
                 echo ::endgroup::

diff --git a/.github/workflows/lint-world.yaml b/.github/workflows/lint-world.yaml
@@ -70,7 +70,7 @@ jobs:
 
       - name: Setup k8s runner configs
         run: |
-          cat > .melange.k8s.yaml <<EOF
+          cat > .melange.k8s.yaml <<"_END_MELANGE_YAML"
           provider: gke
           repo: gcr.io/${{ env.EPHEMERAL_BUILD_PROJECT_ID }}/world-builds
           # Fully utilize {t2a,n2d}-standard-44
@@ -116,7 +116,7 @@ jobs:
                           # it's really annoying to make it all the way through only to
                           # fill up the disk at the end
                           storage: 15Gi
-          EOF
+          _END_MELANGE_YAML
 
       - name: Create ephemeral build cluster
         run: |