Skip to content

Commit 7c74983

Browse files
ThemitchellThemitchell
authored
Merge pull request #137 from NHSDigital/fix-github-actions-sonarqube-issues
Change PR workflow to not use user-controlled data directly in a run
2 parents 5bd0b12 + b0768ee commit 7c74983

File tree

2 files changed

+8
-2
lines changed

2 files changed

+8
-2
lines changed

.github/workflows/cicd-1-pull-request.yaml

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,11 +25,14 @@ jobs:
2525
terraform_version: ${{ steps.variables.outputs.terraform_version }}
2626
version: ${{ steps.variables.outputs.version }}
2727
does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
28+
branch_name: ${{ steps.variables.outputs.branch_name }}
2829
steps:
2930
- name: "Checkout code"
3031
uses: actions/checkout@v5
3132
- name: "Set CI/CD variables"
3233
id: variables
34+
env:
35+
BRANCH_NAME: ${{ github.head_ref }}
3336
run: |
3437
datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
3538
BUILD_DATETIME=$datetime make version-create-effective-file
@@ -41,6 +44,7 @@ jobs:
4144
echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
4245
echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
4346
echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT
47+
echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
4448
- name: "Check if pull request exists for this branch"
4549
id: pr_exists
4650
env:
@@ -66,7 +70,7 @@ jobs:
6670
export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}"
6771
export VERSION="${{ steps.variables.outputs.version }}"
6872
export DOES_PULL_REQUEST_EXIST="${{ steps.pr_exists.outputs.does_pull_request_exist }}"
69-
export BRANCH_NAME="${{ github.head_ref }}"
73+
export BRANCH_NAME="${{ steps.variables.outputs.branch_name }}"
7074
make list-variables
7175
commit-stage: # Recommended maximum execution time is 2 minutes
7276
name: "Commit stage"

.github/workflows/cicd-2-main-branch.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ jobs:
2121
python_version: ${{ steps.variables.outputs.python_version }}
2222
terraform_version: ${{ steps.variables.outputs.terraform_version }}
2323
version: ${{ steps.variables.outputs.version }}
24+
branch_name: ${{ steps.variables.outputs.branch_name }}
2425
steps:
2526
- name: "Checkout code"
2627
uses: actions/checkout@v5
@@ -37,6 +38,7 @@ jobs:
3738
echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
3839
echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
3940
echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT
41+
echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
4042
- name: "List variables"
4143
run: |
4244
export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}"
@@ -47,7 +49,7 @@ jobs:
4749
export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}"
4850
export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}"
4951
export VERSION="${{ steps.variables.outputs.version }}"
50-
export BRANCH_NAME="${{ github.head_ref }}"
52+
export BRANCH_NAME="${{ steps.variables.outputs.branch_name }}"
5153
make list-variables
5254
commit-stage: # Recommended maximum execution time is 2 minutes
5355
name: "Commit stage"

0 commit comments

Comments
 (0)