From 1f7a948f6d1d1ed46842e03f8d52a6d3e4750fb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gast=C3=B3n=20Fournier?= Date: Wed, 5 Jul 2023 13:35:12 +0200 Subject: [PATCH] chore: avoids code injection through git commit (#4147) ## About the changes Avoids code injection via the committer name or email Also removes pushing to s3 on `main` folder as it's not used and we're already pushing to `commits` folder --- .github/workflows/build.yaml | 8 -------- .github/workflows/notify_enterprise.yaml | 4 +++- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9be8be6b19..e265b33746 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -46,11 +46,3 @@ jobs: CI: true TEST_DATABASE_URL: postgres://postgres:postgres@localhost:5432/postgres DATABASE_URL: postgres://postgres:postgres@localhost:5432/postgres - - uses: aws-actions/configure-aws-credentials@v2 - with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - - name: Publish static assets to S3 - run: | - aws s3 cp frontend/build s3://getunleash-static/unleash/main/$(git rev-parse HEAD) --recursive diff --git a/.github/workflows/notify_enterprise.yaml b/.github/workflows/notify_enterprise.yaml index e70d7c4303..7aa5abf3bf 100644 --- a/.github/workflows/notify_enterprise.yaml +++ b/.github/workflows/notify_enterprise.yaml @@ -26,6 +26,8 @@ jobs: - uses: actions/checkout@v3 - name: Trigger sync uses: actions/github-script@v6 + env: + COMMIT_ACTOR: ${{ github.event.commits[0].author.name }} <${{ github.event.commits[0].author.email }}> with: github-token: ${{ secrets.UNLEASH_CI_BUILDER_GITHUB_TOKEN }} script: | @@ -36,7 +38,7 @@ jobs: ref: 'master', inputs: { commit: "${{ github.event.head_commit.id }}", - actor: "${{ github.event.commits[0].author.name }} <${{ github.event.commits[0].author.email }}>", + actor: "${{ env.COMMIT_ACTOR }}", message: ${{ toJSON(github.event.head_commit.message) }}, } })