Skip to content

Commit 286adea

Browse files
pbrisbinbrokenpip3
pbrisbin
and
brokenpip3
authored
Allow configuring the github-token used (#60)
* Allow configuring the github-token used * Pass inputs.github-token via env Interpolating inputs directly is an injection vector; passing through environment variables is a security best-practice[^1]. [^1]: https://docs.github.com/en/enterprise-cloud@latest/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions#using-an-intermediate-environment-variable --------- Co-authored-by: Luigi Operoso <40476330+brokenpip3@users.noreply.github.com>
1 parent 7c1220d commit 286adea

File tree

1 file changed

+8
-2
lines changed

1 file changed

+8
-2
lines changed

action.yaml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -81,6 +81,10 @@ inputs:
8181
description: "Bats-file: clean temp files"
8282
required: false
8383
default: true
84+
github-token:
85+
description: "GitHub token to use to download the releases"
86+
required: false
87+
default: ${{ github.token }}
8488
outputs:
8589
bats-installed:
8690
description: "True/False if bats has been installed"
@@ -138,21 +142,23 @@ runs:
138142
139143
# From https://github.com/fluxcd/flux2/blob/44d69d6fc0c353e79c1bad021a4aca135033bce8/action/action.yml#L35
140144
if [[ -z "$VERSION" ]] || [[ "$VERSION" = "latest" ]]; then
141-
VERSION=$(curl -fsSL --retry 4 --retry-connrefused -H "Authorization: token ${{ github.token }}" https://api.github.com/repos/bats-core/bats-core/releases/latest | grep tag_name | cut -d '"' -f 4)
145+
VERSION=$(curl -fsSL --retry 4 --retry-connrefused -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/bats-core/bats-core/releases/latest | grep tag_name | cut -d '"' -f 4)
142146
fi
143147
[[ $VERSION == v* ]] && VERSION="${VERSION:1}"
144148
145149
mkdir -p ${TEMPDIR}
146150
mkdir -p ${DESTDIR}
147151
148-
curl -sL --retry 4 --retry-connrefused -H "Authorization: token ${{ github.token }}" ${URL}/archive/refs/tags/v${VERSION}.tar.gz | tar xz -C ${TEMPDIR} --strip-components 1 && cd ${TEMPDIR}
152+
curl -sL --retry 4 --retry-connrefused -H "Authorization: token $GITHUB_TOKEN" ${URL}/archive/refs/tags/v${VERSION}.tar.gz | tar xz -C ${TEMPDIR} --strip-components 1 && cd ${TEMPDIR}
149153
150154
./install.sh ${DESTDIR}
151155
echo "Bats v${VERSION} installed in ${DESTDIR}"
152156
echo "${DESTDIR}/bin" >> "$GITHUB_PATH"
153157
echo "bats-installed=true" >> $GITHUB_OUTPUT
154158
155159
rm -rf ${TEMPDIR} || exit 0
160+
env:
161+
GITHUB_TOKEN: ${{ inputs.github-token }}
156162

157163
- name: Set paths and commands for libraries
158164
shell: bash

0 commit comments

Comments
 (0)