From a346823e367e70db808585b28451fb41dd3cb618 Mon Sep 17 00:00:00 2001 From: Michal Mironczuk Date: Thu, 25 Jun 2026 18:54:33 +0200 Subject: [PATCH] fix(security): fix remaining template injection in protectAuditLabels workflow Move inline ${{ github.event.action }} and ${{ github.actor }} references in the first two steps into env: blocks, matching the pattern already used in the third step. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/protectAuditLabels.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/protectAuditLabels.yml b/.github/workflows/protectAuditLabels.yml index ccbcb50649..5bf72f9331 100644 --- a/.github/workflows/protectAuditLabels.yml +++ b/.github/workflows/protectAuditLabels.yml @@ -28,10 +28,11 @@ jobs: - name: Check if event requires audit label protection id: check_event + env: + EVENT_ACTION: ${{ github.event.action }} run: | # Define the events that we care about (labeled/unlabeled) EVENT_TYPES=("labeled" "unlabeled") - EVENT_ACTION="${{ github.event.action }}" # Check if the action is one of the events we care about if [[ " ${EVENT_TYPES[*]} " =~ " $EVENT_ACTION " ]]; then @@ -44,15 +45,17 @@ jobs: - name: Check for authorized actor if: env.CONTINUE == 'true' + env: + GITHUB_ACTOR: ${{ github.actor }} run: | ##### Only allow the specific bot to manipulate audit labels - if [[ "${{ github.actor }}" == "lifi-action-bot" ]]; then + if [[ "$GITHUB_ACTOR" == "lifi-action-bot" ]]; then echo -e "\033[32mAction triggered by lifi-action-bot. No further checks required.\033[0m" echo "CONTINUE=false" >> $GITHUB_ENV exit 0 fi - echo "This action was triggered by: ${{ github.actor }}" + echo "This action was triggered by: $GITHUB_ACTOR" - name: Protect Audit Labels if: env.CONTINUE == 'true'