From f80720823b651036267036ffd61df3d8442117e8 Mon Sep 17 00:00:00 2001 From: Zhong Jianxin <azuwis@gmail.com> Date: Wed, 20 Nov 2024 20:50:24 +0800 Subject: [PATCH] workflows/eval: avoid potential script injection attack Although matrix.system is supposed to be generated from trusted code, we'd better follow [Github Actions good practices][1]. [1]: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable --- .github/workflows/eval.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index c63496c7255f..1686898e6842 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -85,9 +85,11 @@ jobs: uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - name: Evaluate the ${{ matrix.system }} output paths for all derivation attributes + env: + MATRIX_SYSTEM: ${{ matrix.system }} run: | nix-build nixpkgs/ci -A eval.singleSystem \ - --argstr evalSystem ${{ matrix.system }} \ + --argstr evalSystem "$MATRIX_SYSTEM" \ --arg attrpathFile ./paths/paths.json \ --arg chunkSize 10000 # If it uses too much memory, slightly decrease chunkSize