Remediate zizmor template injection issues (#278)

loosebazooka · web-flow · commit 79e6de0c5557 · 2025-06-09T10:38:00.000-07:00
This is not an exhaustive set of fixes for zizmor
reported issues, just those related to github inputs/vars
and template injection

Signed-off-by: Appu Goundan &lt;appu@google.com&gt;
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -91,6 +91,11 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    env:
+      REGISTRY_BRANCH: ${{ inputs.registry_branch }}
+      REGISTRY: ${{ inputs.registry }}
+      REGISTRY_FORK: ${{ inputs.registry_fork }}
+      TAG_NAME: ${{ inputs.tag_name }}
     steps:
     - name: Checkout the module repository
       uses: actions/checkout@v4.2.2
@@ -229,6 +234,11 @@ jobs:
     - name: Push to fork
       id: push-to-fork
       working-directory: bazel-central-registry
+      env:
+        # Set the author to the actor of this workflow. Use the github-provided
+        # noreply email address: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address.
+        AUTHOR_NAME: ${{ github.actor }}
+        AUTHOR_EMAIL: ${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com
       run: |
         set -o errexit -o nounset -o pipefail
 
@@ -237,15 +247,10 @@ jobs:
         COMMITTER_NAME="github-actions[bot]"
         COMMITTER_EMAIL="41898282+github-actions[bot]@users.noreply.github.com"
 
-        # Set the author to the actor of this workflow. Use the github-provided
-        # noreply email address: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address.
-        AUTHOR_NAME="${{ github.actor }}"
-        AUTHOR_EMAIL="${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
-
         # Use an authorized remote url to push to the fork
-        git remote add authed-fork https://x-access-token:${{ secrets.publish_token }}@github.com/${{ inputs.registry_fork }}.git
+        git remote add authed-fork https://x-access-token:${{ secrets.publish_token }}@github.com/${REGISTRY_FORK}.git
 
-        BRANCH="${{ steps.create-final-entry.outputs.module-names }}-${{ inputs.tag_name }}"
+        BRANCH="${{ steps.create-final-entry.outputs.module-names }}-${TAG_NAME}"
         git checkout -b "${BRANCH}"
         git add .
         git -c "author.name=${AUTHOR_NAME}" \
@@ -260,34 +265,36 @@ jobs:
 
     - name: Prepare PR variables
       id: pr-vars
+      env:
+        REPOSITORY: ${{ inputs.repository }}
       run: |
         set -o errexit -o nounset -o pipefail
 
         TITLE="${{ steps.create-final-entry.outputs.short-description }}"
         echo "title=${TITLE}" >> $GITHUB_OUTPUT
 
         echo "body<<EOF" >> $GITHUB_OUTPUT
-        echo -e "Release: https://github.com/${{ inputs.repository }}/releases/tag/${{ inputs.tag_name }}\n" >> $GITHUB_OUTPUT
+        echo -e "Release: https://github.com/${REPOSITORY}/releases/tag/${TAG_NAME}\n" >> $GITHUB_OUTPUT
         echo "_Automated by [Publish to BCR](https://github.com/bazel-contrib/publish-to-bcr)_" >> $GITHUB_OUTPUT
         echo "EOF" >> $GITHUB_OUTPUT
 
     - name: Open pull request
       if: ${{ inputs.open_pull_request }}
+      env:
+        DRAFT: ${{ inputs.draft }}
       working-directory: bazel-central-registry
       run: |
         set -o errexit -o nounset -o pipefail
 
-        REGISTRY_FORK="${{ inputs.registry_fork }}"
         FORK_OWNER="${REGISTRY_FORK%%/*}"
         BRANCH="${{ steps.push-to-fork.outputs.branch }}"
-        DRAFT="${{ inputs.draft }}"
         MAINTAINER_CAN_MODIFY=true
 
         REQUEST_BODY=$(jq --null-input \
           --arg title "${{ steps.pr-vars.outputs.title }}" \
           --arg body "${{ steps.pr-vars.outputs.body }}" \
           --arg head "${FORK_OWNER}:${BRANCH}" \
-          --arg base ${{ inputs.registry_branch }} \
+          --arg base ${REGISTRY_BRANCH} \
           --argjson draft "${DRAFT}" \
           --argjson maintainer_can_modify "${MAINTAINER_CAN_MODIFY}" \
           '{title: $title, body: $body, head: $head, base: $base, maintainer_can_modify: $maintainer_can_modify, draft: $draft}')
@@ -306,7 +313,7 @@ jobs:
           --header "Accept: application/vnd.github+json" \
           --header "Authorization: Bearer ${{ secrets.publish_token }}" \
           --header "X-GitHub-Api-Version: 2022-11-28" \
-          https://api.github.com/repos/${{ inputs.registry }}/pulls \
+          https://api.github.com/repos/${REGISTRY}/pulls \
           --data "${REQUEST_BODY}"
         )
 
@@ -329,7 +336,6 @@ jobs:
       run: |
         set -o errexit -o nounset -o pipefail
 
-        REGISTRY_FORK="${{ inputs.registry_fork }}"
         FORK_OWNER="${REGISTRY_FORK%%/*}"
         FORK_REPO="${REGISTRY_FORK##*/}"
         TITLE=$(jq --raw-input --raw-output @uri <<<"${{ steps.pr-vars.outputs.title }}")
@@ -339,4 +345,4 @@ jobs:
         echo -e "Create the pull request manually by visiting:"
 
         # https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/using-query-parameters-to-create-a-pull-request
-        echo "https://github.com/${{ inputs.registry }}/compare/${{ inputs.registry_branch }}...${FORK_OWNER}:${FORK_REPO}:${{ steps.push-to-fork.outputs.branch }}?title=${TITLE}&body=${BODY}&quick_pull=1"
+        echo "https://github.com/${REGISTRY}/compare/${REGISTRY_BRANCH}...${FORK_OWNER}:${FORK_REPO}:${{ steps.push-to-fork.outputs.branch }}?title=${TITLE}&body=${BODY}&quick_pull=1"
