From 33ec173876c409c3be4c3a7aef0f13b5d0c133b6 Mon Sep 17 00:00:00 2001 From: Dmitry Misharov Date: Thu, 23 Oct 2025 12:23:55 +0200 Subject: [PATCH] remove potentially not secure template expansions https://docs.zizmor.sh/audits/#template-injection Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/28982) --- .github/workflows/coveralls.yml | 7 +++++-- .github/workflows/deploy-docs-openssl-org.yml | 2 +- .github/workflows/make-release.yml | 18 ++++++++++-------- 3 files changed, 16 insertions(+), 11 deletions(-) diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index dd1782e308..d195b71615 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -31,12 +31,15 @@ jobs: steps: - name: Define branches id: branches + env: + GITHUB_EVENT_INPUTS_BRANCH: ${{ github.event.inputs.branch }} + GITHUB_EVENT_INPUTS_EXTRA_CONFIG: ${{ github.event.inputs.extra_config }} run: | if [ "${{ github.event_name}}" = "workflow_dispatch" ]; then MATRIX=$(cat << EOF [{ - "branch": "${{ github.event.inputs.branch }}", - "extra_config": "${{ github.event.inputs.extra_config }}" + "branch": "${GITHUB_EVENT_INPUTS_BRANCH}", + "extra_config": "${GITHUB_EVENT_INPUTS_EXTRA_CONFIG}" }] EOF ) diff --git a/.github/workflows/deploy-docs-openssl-org.yml b/.github/workflows/deploy-docs-openssl-org.yml index e71b1f1539..e3fd909bc6 100644 --- a/.github/workflows/deploy-docs-openssl-org.yml +++ b/.github/workflows/deploy-docs-openssl-org.yml @@ -17,7 +17,7 @@ jobs: steps: - name: "Trigger deployment workflow" run: | - gh workflow run -f branch=${{ github.ref_name }} deploy-site.yaml + gh workflow run -f branch=${GITHUB_REF_NAME} deploy-site.yaml sleep 3 RUN_ID=$(gh run list -w deploy-site.yaml -L 1 --json databaseId -q ".[0].databaseId") gh run watch ${RUN_ID} --exit-status diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index 038ffad877..e9543b77b6 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -29,17 +29,19 @@ jobs: path: ${{ github.ref_name }} persist-credentials: false - name: "Prepare assets" + env: + SIGNING_KEY_UID: ${{ vars.signing_key_uid }} run: | - cd ${{ github.ref_name }} + cd "$GITHUB_REF_NAME" ./util/mktar.sh - mkdir assets && mv ${{ github.ref_name }}.tar.gz assets/ && cd assets - openssl sha1 -r ${{ github.ref_name }}.tar.gz > ${{ github.ref_name }}.tar.gz.sha1 - openssl sha256 -r ${{ github.ref_name }}.tar.gz > ${{ github.ref_name }}.tar.gz.sha256 - gpg -u ${{ vars.signing_key_uid }} -o ${{ github.ref_name }}.tar.gz.asc -sba ${{ github.ref_name }}.tar.gz + mkdir -p assets && mv "$GITHUB_REF_NAME.tar.gz" assets/ && cd assets + openssl sha1 -r "$GITHUB_REF_NAME.tar.gz" > "$GITHUB_REF_NAME.tar.gz.sha1" + openssl sha256 -r "$GITHUB_REF_NAME.tar.gz" > "$GITHUB_REF_NAME.tar.gz.sha256" + gpg -u "$SIGNING_KEY_UID" -o "$GITHUB_REF_NAME.tar.gz.asc" -sba "$GITHUB_REF_NAME.tar.gz" - name: "Create release" env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} run: | - VERSION=$(echo ${{ github.ref_name }} | cut -d "-" -f 2-) - PRE_RELEASE=$([[ ${{ github.ref_name }} =~ alpha|beta ]] && echo "-p" || echo "") - gh release create ${{ github.ref_name }} $PRE_RELEASE -t "OpenSSL $VERSION" -d --notes " " -R ${{ github.repository }} ${{ github.ref_name }}/assets/* + VERSION="$(echo "$GITHUB_REF_NAME" | cut -d '-' -f 2-)" + PRE_RELEASE=$([[ "$GITHUB_REF_NAME" =~ alpha|beta ]] && echo "-p" || echo "") + gh release create "$GITHUB_REF_NAME" $PRE_RELEASE -t "OpenSSL $VERSION" -d --notes " " -R "$GITHUB_REPOSITORY" "$GITHUB_REF_NAME/assets/"* -- 2.47.3