From: Dmitry Misharov Date: Thu, 23 Oct 2025 10:23:55 +0000 (+0200) Subject: remove potentially not secure template expansions X-Git-Tag: 3.6-PRE-CLANG-FORMAT-WEBKIT~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=87c66c7f7162b2656ecf6fc3ca03eae08bbd621c;p=thirdparty%2Fopenssl.git remove potentially not secure template expansions https://docs.zizmor.sh/audits/#template-injection Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (cherry picked from commit 33ec173876c409c3be4c3a7aef0f13b5d0c133b6) Reviewed-by: Eugene Syromiatnikov (Merged from https://github.com/openssl/openssl/pull/29271) --- diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index 93c2c8282ec..0564b641f1b 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -31,12 +31,15 @@ jobs: steps: - name: Define branches id: branches + env: + GITHUB_EVENT_INPUTS_BRANCH: ${{ github.event.inputs.branch }} + GITHUB_EVENT_INPUTS_EXTRA_CONFIG: ${{ github.event.inputs.extra_config }} run: | if [ "${{ github.event_name}}" = "workflow_dispatch" ]; then MATRIX=$(cat << EOF [{ - "branch": "${{ github.event.inputs.branch }}", - "extra_config": "${{ github.event.inputs.extra_config }}" + "branch": "${GITHUB_EVENT_INPUTS_BRANCH}", + "extra_config": "${GITHUB_EVENT_INPUTS_EXTRA_CONFIG}" }] EOF ) diff --git a/.github/workflows/deploy-docs-openssl-org.yml b/.github/workflows/deploy-docs-openssl-org.yml index 5554f07a429..99d4b73ed1a 100644 --- a/.github/workflows/deploy-docs-openssl-org.yml +++ b/.github/workflows/deploy-docs-openssl-org.yml @@ -15,7 +15,7 @@ jobs: steps: - name: "Trigger deployment workflow" run: | - gh workflow run -f branch=${{ github.ref_name }} deploy-site.yaml + gh workflow run -f branch=${GITHUB_REF_NAME} deploy-site.yaml sleep 3 RUN_ID=$(gh run list -w deploy-site.yaml -L 1 --json databaseId -q ".[0].databaseId") gh run watch ${RUN_ID} --exit-status diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index 7d50db65e3d..cda9e88a494 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -26,17 +26,19 @@ jobs: token: ${{ secrets.GHE_TOKEN }} path: ${{ github.ref_name }} - name: "Prepare assets" + env: + SIGNING_KEY_UID: ${{ vars.signing_key_uid }} run: | - cd ${{ github.ref_name }} + cd "$GITHUB_REF_NAME" ./util/mktar.sh - mkdir assets && mv ${{ github.ref_name }}.tar.gz assets/ && cd assets - openssl sha1 -r ${{ github.ref_name }}.tar.gz > ${{ github.ref_name }}.tar.gz.sha1 - openssl sha256 -r ${{ github.ref_name }}.tar.gz > ${{ github.ref_name }}.tar.gz.sha256 - gpg -u ${{ vars.signing_key_uid }} -o ${{ github.ref_name }}.tar.gz.asc -sba ${{ github.ref_name }}.tar.gz + mkdir -p assets && mv "$GITHUB_REF_NAME.tar.gz" assets/ && cd assets + openssl sha1 -r "$GITHUB_REF_NAME.tar.gz" > "$GITHUB_REF_NAME.tar.gz.sha1" + openssl sha256 -r "$GITHUB_REF_NAME.tar.gz" > "$GITHUB_REF_NAME.tar.gz.sha256" + gpg -u "$SIGNING_KEY_UID" -o "$GITHUB_REF_NAME.tar.gz.asc" -sba "$GITHUB_REF_NAME.tar.gz" - name: "Create release" env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} run: | - VERSION=$(echo ${{ github.ref_name }} | cut -d "-" -f 2-) - PRE_RELEASE=$([[ ${{ github.ref_name }} =~ alpha|beta ]] && echo "-p" || echo "") - gh release create ${{ github.ref_name }} $PRE_RELEASE -t "OpenSSL $VERSION" -d --notes " " -R ${{ github.repository }} ${{ github.ref_name }}/assets/* + VERSION="$(echo "$GITHUB_REF_NAME" | cut -d '-' -f 2-)" + PRE_RELEASE=$([[ "$GITHUB_REF_NAME" =~ alpha|beta ]] && echo "-p" || echo "") + gh release create "$GITHUB_REF_NAME" $PRE_RELEASE -t "OpenSSL $VERSION" -d --notes " " -R "$GITHUB_REPOSITORY" "$GITHUB_REF_NAME/assets/"*