From 3825cbca549c8e58a26c85f8ba79ebc82e61a995 Mon Sep 17 00:00:00 2001 From: vagusX Date: Tue, 19 Dec 2023 11:23:53 +0800 Subject: [PATCH] ci: avoid branch name injection (#46524) --- .github/workflows/visual-regression-diff-build.yml | 5 ++++- .github/workflows/visual-regression-diff-finish.yml | 3 ++- .github/workflows/visual-regression-persist-finish.yml | 6 ++++-- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/visual-regression-diff-build.yml b/.github/workflows/visual-regression-diff-build.yml index e7a698f8a9..45c27a2d1e 100644 --- a/.github/workflows/visual-regression-diff-build.yml +++ b/.github/workflows/visual-regression-diff-build.yml @@ -87,8 +87,11 @@ jobs: # Execute visual regression diff task and zip then # output as visualRegressionReport.tar.gz - name: visual regression diff + env: + EVENT_NUMBER: ${{ github.event.number }} + BASE_REF: ${{ github.base_ref }} run: | - npm run visual-regression -- --pr-id=${{ github.event.number }} --base-ref=${{ github.base_ref}} + npm run visual-regression -- --pr-id=$EVENT_NUMBER --base-ref=$BASE_REF # Upload report in `visualRegressionReport` - name: upload report artifact diff --git a/.github/workflows/visual-regression-diff-finish.yml b/.github/workflows/visual-regression-diff-finish.yml index 43c1925130..53020a587f 100644 --- a/.github/workflows/visual-regression-diff-finish.yml +++ b/.github/workflows/visual-regression-diff-finish.yml @@ -92,6 +92,7 @@ jobs: env: ALI_OSS_AK_ID: ${{ secrets.ALI_OSS_AK_ID }} ALI_OSS_AK_SECRET: ${{ secrets.ALI_OSS_AK_SECRET }} + PR_ID: ${{ steps.pr.outputs.id }} run: | mkdir ./visualRegressionReport tar -xzvf visualRegressionReport.tar.gz -C ./visualRegressionReport @@ -102,7 +103,7 @@ jobs: echo "✅ Install `ali-oss` Finished" echo "🤖 Uploading" - node scripts/visual-regression/upload.js ./visualRegressionReport --ref=pr-${{ steps.pr.outputs.id }} + node scripts/visual-regression/upload.js ./visualRegressionReport --ref=pr-$PR_ID echo "✅ Uploaded" delimiter="$(openssl rand -hex 8)" diff --git a/.github/workflows/visual-regression-persist-finish.yml b/.github/workflows/visual-regression-persist-finish.yml index e096bed452..660a402a8e 100644 --- a/.github/workflows/visual-regression-persist-finish.yml +++ b/.github/workflows/visual-regression-persist-finish.yml @@ -90,13 +90,15 @@ jobs: env: ALI_OSS_AK_ID: ${{ secrets.ALI_OSS_AK_ID }} ALI_OSS_AK_SECRET: ${{ secrets.ALI_OSS_AK_SECRET }} + HEAD_SHA: ${{ github.event.workflow_run.head_sha }} + HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }} run: | rm package.json npm i ali-oss --no-save echo "✅ Install `ali-oss` Finished" echo "🤖 Uploading" - node scripts/visual-regression/upload.js ./imageSnapshots.tar.gz --ref=${{ github.event.workflow_run.head_sha }} - node scripts/visual-regression/upload.js ./visual-regression-ref.txt --ref=${{ github.event.workflow_run.head_branch }} + node scripts/visual-regression/upload.js ./imageSnapshots.tar.gz --ref=$HEAD_SHA + node scripts/visual-regression/upload.js ./visual-regression-ref.txt --ref=$HEAD_BRANCH echo "✅ Uploaded"