Skip to content

Commit 060ee9d

Browse files
aksOpsclaude
andcommitted
fix(release-darwin): pass tag via env var (semgrep run-shell-injection)
Semgrep flagged 5× `yaml.github-actions.security.run-shell-injection` in release-darwin.yml. Pattern was: run: | TAG="${GITHUB_REF_NAME:-${{ github.event.inputs.tag }}}" The `${{ github.event.inputs.tag }}` expression gets interpolated INTO the shell script at workflow runtime — a malicious workflow_dispatch caller could inject shell code via the `tag` input. Fix: hoist the tag resolution into a workflow-level `env: TAG: …`, then reference $TAG inside each shell block. Same effective value (workflow_dispatch input wins; falls back to ref_name on tag push), but the input never reaches a shell un-escaped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent ad888c1 commit 060ee9d

1 file changed

Lines changed: 6 additions & 5 deletions

File tree

.github/workflows/release-darwin.yml

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,12 @@ permissions:
2727
id-token: write # Sigstore keyless via GitHub OIDC
2828
attestations: write
2929

30+
# Pass the input/ref to the shell via env vars (not inline `${{ }}`
31+
# interpolation) — Semgrep `yaml.github-actions.security.run-shell-injection`
32+
# rule. inputs.tag for workflow_dispatch; GITHUB_REF_NAME for tag pushes.
33+
env:
34+
TAG: ${{ github.event.inputs.tag || github.ref_name }}
35+
3036
jobs:
3137
release-darwin:
3238
name: release (darwin / arm64)
@@ -48,7 +54,6 @@ jobs:
4854
GOOS: darwin
4955
GOARCH: arm64
5056
run: |
51-
TAG="${GITHUB_REF_NAME:-${{ github.event.inputs.tag }}}"
5257
VERSION="${TAG#v}"
5358
go build \
5459
-trimpath \
@@ -62,7 +67,6 @@ jobs:
6267
- name: Package archive
6368
working-directory: go
6469
run: |
65-
TAG="${GITHUB_REF_NAME:-${{ github.event.inputs.tag }}}"
6670
VERSION="${TAG#v}"
6771
ARCHIVE_DIR="codeiq_${VERSION}_darwin_arm64"
6872
mkdir -p "${ARCHIVE_DIR}"
@@ -76,7 +80,6 @@ jobs:
7680
uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
7781
- name: Generate SBOM
7882
run: |
79-
TAG="${GITHUB_REF_NAME:-${{ github.event.inputs.tag }}}"
8083
VERSION="${TAG#v}"
8184
ARCHIVE="codeiq_${VERSION}_darwin_arm64.tar.gz"
8285
syft "$ARCHIVE" --output spdx-json="${ARCHIVE}.sbom.spdx.json"
@@ -85,7 +88,6 @@ jobs:
8588
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
8689
- name: Sign archive (Sigstore keyless, bundle format)
8790
run: |
88-
TAG="${GITHUB_REF_NAME:-${{ github.event.inputs.tag }}}"
8991
VERSION="${TAG#v}"
9092
ARCHIVE="codeiq_${VERSION}_darwin_arm64.tar.gz"
9193
cosign sign-blob \
@@ -97,7 +99,6 @@ jobs:
9799
env:
98100
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
99101
run: |
100-
TAG="${GITHUB_REF_NAME:-${{ github.event.inputs.tag }}}"
101102
VERSION="${TAG#v}"
102103
# Retry up to 3 times to handle race with release-go.yml
103104
# creating the Release.

0 commit comments

Comments
 (0)