Skip to content

Commit 1627fe3

Browse files
lgritzlgritz
authored
ci: For security, replace some workflow substitutions with safer env substitutions (#2088)
Signed-off-by: Larry Gritz <lg@larrygritz.com>
1 parent 70f542f commit 1627fe3

File tree

1 file changed

+7
-5
lines changed

1 file changed

+7
-5
lines changed

.github/workflows/build-steps.yml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -120,6 +120,8 @@ jobs:
120120
ABI_CHECK: ${{inputs.abi_check}}
121121
ACTIONS_RUNNER_FORCE_ACTIONS_NODE_VERSION: node16
122122
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
123+
SETENVS: ${{inputs.setenvs}}
124+
DEPCMDS: ${{inputs.depcmds}}
123125

124126
steps:
125127
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -128,7 +130,7 @@ jobs:
128130
- name: Build setup
129131
shell: bash
130132
run: |
131-
${{inputs.setenvs}}
133+
eval "$SETENVS"
132134
src/build-scripts/ci-startup.bash
133135
- name: Prepare ccache timestamp
134136
id: ccache_cache_keys
@@ -150,7 +152,7 @@ jobs:
150152
- name: Dependencies
151153
shell: bash
152154
run: |
153-
${{inputs.depcmds}}
155+
eval "$DEPCMDS"
154156
if [[ "$RUNNER_OS" == "Linux" ]]; then
155157
src/build-scripts/gh-installdeps.bash
156158
elif [[ "$RUNNER_OS" == "macOS" ]]; then
@@ -212,10 +214,10 @@ jobs:
212214
run: |
213215
which sonar-scanner
214216
ls -l /__w/OpenShadingLanguage/OpenShadingLanguage/bw_output
215-
echo "BUILD_OUTPUT_DIR is " "${{ env.BUILD_WRAPPER_OUT_DIR }}"
217+
echo "BUILD_OUTPUT_DIR is ${BUILD_WRAPPER_OUT_DIR}"
216218
find . -name "*.gcov" -print
217-
# sonar-scanner --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"
218-
time sonar-scanner --define sonar.host.url="${{ env.SONAR_SERVER_URL }}" --define sonar.cfamily.build-wrapper-output="$BUILD_WRAPPER_OUT_DIR" --define sonar.cfamily.gcov.reportsPath="_coverage" --define sonar.cfamily.threads="$PARALLEL"
219+
# sonar-scanner --define sonar.cfamily.build-wrapper-output="${BUILD_WRAPPER_OUT_DIR}"
220+
time sonar-scanner --define sonar.host.url="${SONAR_SERVER_URL}" --define sonar.cfamily.build-wrapper-output="$BUILD_WRAPPER_OUT_DIR" --define sonar.cfamily.gcov.reportsPath="_coverage" --define sonar.cfamily.threads="$PARALLEL"
219221
# Consult https://docs.sonarcloud.io/advanced-setup/ci-based-analysis/sonarscanner-cli/ for more information and options
220222
- name: Check ABI
221223
if: inputs.abi_check != ''

0 commit comments

Comments
 (0)