From 2c704c5ea7d536fcf115ef67501115f3a69d533d Mon Sep 17 00:00:00 2001
From: Lucas Rodriguez <lucas.rodriguez9616@gmail.com>
Date: Thu, 4 Apr 2024 23:30:56 -0500
Subject: [PATCH] fix: use env var for PR title in commitlint workflow to
 prevent untrusted script injection (#2418)

## Description
Our OSSF scorecard workflow flagged this as a `Critical` security risk.
Unsure of whether there is a real attack vector in our specific case.
Using an environment variable to capture untrusted input in workflows is
a documented security hardening best practice by GitHub as well.

This should also boost our OSSF scorecard score since we have a `0` on
this check.

<img width="969" alt="image"
src="https://github.com/defenseunicorns/zarf/assets/87675701/a07c699f-3601-44f2-b181-36f91f3637f8">

`Dangerous-Workflow` check:
-
https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#dangerous-workflow

Risk of script injections:
-
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections

Example script injection attack:
-
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#example-of-a-script-injection-attack

Recommended fix that this PR implements:
-
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable

## Type of change
- [x] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow)
followed
---
 .github/workflows/commitlint.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
index b25a1b28db..39838c5298 100644
--- a/.github/workflows/commitlint.yml
+++ b/.github/workflows/commitlint.yml
@@ -24,4 +24,6 @@ jobs:
         run: npm install --save-dev @commitlint/{config-conventional,cli}
 
       - name: Lint PR title
-        run: echo "${{ github.event.pull_request.title }}" | npx commitlint
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+        run: echo "$PR_TITLE" | npx commitlint