Skip to content

Commit

Permalink
Harden github workflow against injection
Browse files Browse the repository at this point in the history
  • Loading branch information
lukaw3d committed Aug 14, 2024
1 parent 2057e22 commit 9aa5454
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 4 deletions.
5 changes: 4 additions & 1 deletion .github/actions/hash-rust/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,12 @@ runs:
steps:
- shell: bash
id: build
env:
INPUTS_DIR: ${{ inputs.dir }}
INPUTS_IMAGE: ${{ inputs.image }}
run: |
GITHUB_TEMP_DIR=$(dirname "$GITHUB_OUTPUT")
docker run --rm -i -e GITHUB_OUTPUT -v ${GITHUB_TEMP_DIR}:${GITHUB_TEMP_DIR} -v ${{ inputs.dir }}:/src ${{ inputs.image }} /bin/bash <<-'EOF'
docker run --rm -i -e GITHUB_OUTPUT -v "${GITHUB_TEMP_DIR}:${GITHUB_TEMP_DIR}" -v "$INPUTS_DIR:/src" "$INPUTS_IMAGE" /bin/bash <<-'EOF'
set -e
${{ inputs.setup }}
cd /src
Expand Down
8 changes: 6 additions & 2 deletions .github/actions/lint-rust/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,16 +13,20 @@ runs:
steps:
- name: Clippy check
shell: bash
env:
MANIFEST_PATH: ${{ inputs.manifest_path }}
run: |
cargo clippy \
--all-features \
--locked \
--manifest-path ${{ inputs.manifest_path }} \
--manifest-path "$MANIFEST_PATH" \
-- \
-D warnings \
-D clippy::dbg_macro \
-A clippy::upper-case-acronyms
- name: Formatting check
shell: bash
run: cargo fmt --all --manifest-path ${{ inputs.manifest_path }} -- --check
env:
MANIFEST_PATH: ${{ inputs.manifest_path }}
run: cargo fmt --all --manifest-path "$MANIFEST_PATH" -- --check
3 changes: 2 additions & 1 deletion .github/actions/test-rust/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,11 @@ runs:

- name: Unit tests with coverage
shell: bash
run: cargo tarpaulin --out Xml --avoid-cfg-tarpaulin --manifest-path ${{ inputs.manifest_path }} -- --test-threads 1
run: cargo tarpaulin --out Xml --avoid-cfg-tarpaulin --manifest-path "$MANIFEST_PATH" -- --test-threads 1
env:
# Required as tarpaulin doesn't honor .cargo/config.
RUSTFLAGS: -C target-feature=+aes,+ssse3
MANIFEST_PATH: ${{ inputs.manifest_path }}

- name: Upload to codecov.io
uses: codecov/[email protected]
Expand Down

0 comments on commit 9aa5454

Please sign in to comment.