From: Dmitry Misharov <dmitry@openssl.org>
Date: Thu, 23 Oct 2025 10:23:55 +0000 (+0200)
Subject: remove potentially not secure template expansions
X-Git-Tag: 3.0-PRE-CLANG-FORMAT-WEBKIT~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a6b195df4eab406925f9fed7e3b4e669b7a4e6a5;p=thirdparty%2Fopenssl.git

remove potentially not secure template expansions

https://docs.zizmor.sh/audits/#template-injection

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29275)
---

diff --git a/.github/workflows/deploy-docs-openssl-org.yml b/.github/workflows/deploy-docs-openssl-org.yml
index 7b8e6838a7e..fec8ca8b500 100644
--- a/.github/workflows/deploy-docs-openssl-org.yml
+++ b/.github/workflows/deploy-docs-openssl-org.yml
@@ -14,7 +14,7 @@ jobs:
     steps:
       - name: "Trigger deployment workflow"
         run: |
-          gh workflow run -f branch=${{ github.ref_name }} deploy-site.yaml
+          gh workflow run -f branch=${GITHUB_REF_NAME} deploy-site.yaml
           sleep 3
           RUN_ID=$(gh run list -w deploy-site.yaml -L 1 --json databaseId -q ".[0].databaseId")
           gh run watch ${RUN_ID} --exit-status
diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml
index c29c4b64bc0..204303d2be4 100644
--- a/.github/workflows/make-release.yml
+++ b/.github/workflows/make-release.yml
@@ -26,13 +26,15 @@ jobs:
         token: ${{ secrets.GHE_TOKEN }}
         path: ${{ github.ref_name }}
     - name: "Prepare assets"
+      env:
+        SIGNING_KEY_UID: ${{ vars.signing_key_uid }}
       run: |
-        cd ${{ github.ref_name }}
+        cd "$GITHUB_REF_NAME"
         ./util/mktar.sh
-        mkdir assets && mv ${{ github.ref_name }}.tar.gz assets/ && cd assets
-        openssl sha1 -r ${{ github.ref_name }}.tar.gz > ${{ github.ref_name }}.tar.gz.sha1
-        openssl sha256 -r ${{ github.ref_name }}.tar.gz > ${{ github.ref_name }}.tar.gz.sha256
-        gpg -u ${{ vars.signing_key_uid }} -o ${{ github.ref_name }}.tar.gz.asc -sba ${{ github.ref_name }}.tar.gz
+        mkdir -p assets && mv "$GITHUB_REF_NAME.tar.gz" assets/ && cd assets
+        openssl sha1 -r "$GITHUB_REF_NAME.tar.gz" > "$GITHUB_REF_NAME.tar.gz.sha1"
+        openssl sha256 -r "$GITHUB_REF_NAME.tar.gz" > "$GITHUB_REF_NAME.tar.gz.sha256"
+        gpg -u "$SIGNING_KEY_UID" -o "$GITHUB_REF_NAME.tar.gz.asc" -sba "$GITHUB_REF_NAME.tar.gz"
     - name: "Create release"
       env:
         GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}