Skip to content

ci: fix semgrep reported run-shell-injection #4168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Aug 14, 2025
Merged

ci: fix semgrep reported run-shell-injection #4168

merged 7 commits into from
Aug 14, 2025

Conversation

oakrizan
Copy link
Contributor

@oakrizan oakrizan commented Aug 1, 2025
edited
Loading

What does this PR do?

Update GH workflows and actions to fix the run-shell-injection vulnerability.
More info: https://semgrep.dev/r?q=yaml.github-actions.security.run-shell-injection.run-shell-injection

Tested in personal fork: oakrizan#1

Checklist

  • This is an enhancement of existing features, or a new feature in existing plugins
    • I have updated CHANGELOG.next-release.md
    • I have added tests that prove my fix is effective or that my feature works
    • Added an API method or config option? Document in which version this will be introduced
    • I have made corresponding changes to the documentation
  • This is a bugfix
  • This is a new plugin
    • I have updated CHANGELOG.next-release.md
    • My code follows the style guidelines of this project
    • I have made corresponding changes to the documentation
    • I have added tests that prove my fix is effective or that my feature works
    • New and existing unit tests pass locally with my changes
    • I have updated supported-technologies.md
    • Added an API method or config option? Document in which version this will be introduced
    • Added an instrumentation plugin? Describe how you made sure that old, non-supported versions are not instrumented by accident.
  • This is something else

@oakrizan oakrizan requested review from a team as code owners August 1, 2025 15:28
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 1, 2025

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

fr4nc1sc0-r4m0n
fr4nc1sc0-r4m0n reviewed Aug 1, 2025
View reviewed changes
Copy link

@fr4nc1sc0-r4m0n fr4nc1sc0-r4m0n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just left a few comments and questions. Thanks!

fr4nc1sc0-r4m0n
fr4nc1sc0-r4m0n reviewed Aug 1, 2025
View reviewed changes
@oakrizan oakrizan added ci:jdk-compatibility Enables JDK compatibility tests in build pipeline ci:windows Enables Windows build & tests labels Aug 4, 2025
@oakrizan oakrizan marked this pull request as draft August 5, 2025 10:02
@oakrizan oakrizan marked this pull request as ready for review August 5, 2025 20:10
SylvainJuge
SylvainJuge reviewed Aug 11, 2025
View reviewed changes
@oakrizan oakrizan requested a review from SylvainJuge August 11, 2025 10:31
SylvainJuge
SylvainJuge reviewed Aug 11, 2025
View reviewed changes
@SylvainJuge SylvainJuge merged commit db2af79 into elastic:main Aug 14, 2025
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SylvainJuge SylvainJuge SylvainJuge approved these changes

@fr4nc1sc0-r4m0n fr4nc1sc0-r4m0n Awaiting requested review from fr4nc1sc0-r4m0n

Assignees
No one assigned
Labels
agent-java ci:jdk-compatibility Enables JDK compatibility tests in build pipeline ci:windows Enables Windows build & tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@oakrizan @SylvainJuge @fr4nc1sc0-r4m0n