Skip to content

Commit 417f44a

Browse files
hathachhathach
committed
fix security in gh action
1 parent 113a763 commit 417f44a

File tree

4 files changed

+38
-21
lines changed

4 files changed

+38
-21
lines changed

.github/actions/get_deps/action.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,9 @@ runs:
2626
shell: bash
2727

2828
- name: Get Dependencies
29+
env:
30+
ARG: ${{ inputs.arg }}
2931
run: |
30-
python3 tools/get_deps.py ${{ inputs.arg }}
32+
python3 tools/get_deps.py ${ARG}
3133
echo "PICO_SDK_PATH=${{ github.workspace }}/pico-sdk" >> $GITHUB_ENV
3234
shell: bash

.github/actions/setup_toolchain/action.yml

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -30,8 +30,10 @@ runs:
3030
inputs.toolchain != 'arm-gcc' &&
3131
inputs.toolchain != 'esp-idf'
3232
id: set-toolchain-url
33+
env:
34+
TOOLCHAIN: ${{ inputs.toolchain }}
3335
run: |
34-
TOOLCHAIN_URL=$(jq -r '."${{ inputs.toolchain }}"' .github/actions/setup_toolchain/toolchain.json)
36+
TOOLCHAIN_URL=$(jq -r '."$TOOLCHAIN"' .github/actions/setup_toolchain/toolchain.json)
3537
echo "toolchain_url=$TOOLCHAIN_URL"
3638
echo "toolchain_url=$TOOLCHAIN_URL" >> $GITHUB_OUTPUT
3739
shell: bash
@@ -47,11 +49,13 @@ runs:
4749

4850
- name: Set toolchain option
4951
id: set-toolchain-option
52+
env:
53+
TOOLCHAIN: ${{ inputs.toolchain }}
5054
run: |
5155
BUILD_OPTION=""
52-
if [[ "${{ inputs.toolchain }}" == *"clang"* ]]; then
56+
if [[ "$TOOLCHAIN" == *"clang"* ]]; then
5357
BUILD_OPTION="--toolchain clang"
54-
elif [[ "${{ inputs.toolchain }}" == "arm-iar" ]]; then
58+
elif [[ "$TOOLCHAIN" == "arm-iar" ]]; then
5559
BUILD_OPTION="--toolchain iar"
5660
fi
5761
echo "build_option=$BUILD_OPTION"

.github/actions/setup_toolchain/download/action.yml

Lines changed: 18 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -21,29 +21,34 @@ runs:
2121

2222
- name: Install Toolchain
2323
if: steps.cache-toolchain-download.outputs.cache-hit != 'true'
24+
env:
25+
TOOLCHAIN: ${{ inputs.toolchain }}
26+
TOOLCHAIN_URL: ${{ inputs.toolchain_url }}
2427
run: |
25-
mkdir -p ~/cache/${{ inputs.toolchain }}
28+
mkdir -p ~/cache/${TOOLCHAIN}
2629
27-
if [[ ${{ inputs.toolchain }} == rx-gcc ]]; then
28-
wget --progress=dot:giga ${{ inputs.toolchain_url }} -O toolchain.run
30+
if [[ ${TOOLCHAIN} == rx-gcc ]]; then
31+
wget --progress=dot:giga ${TOOLCHAIN_URL} -O toolchain.run
2932
chmod +x toolchain.run
30-
./toolchain.run -p ~/cache/${{ inputs.toolchain }}/gnurx -y
31-
elif [[ ${{ inputs.toolchain }} == arm-iar ]]; then
32-
wget --progress=dot:giga https://netstorage.iar.com/FileStore/STANDARD/001/003/926/iar-lmsc-tools_1.8_amd64.deb -O ~/cache/${{ inputs.toolchain }}/iar-lmsc-tools.deb
33-
wget --progress=dot:giga ${{ inputs.toolchain_url }} -O ~/cache/${{ inputs.toolchain }}/cxarm.deb
33+
./toolchain.run -p ~/cache/${TOOLCHAIN}/gnurx -y
34+
elif [[ ${TOOLCHAIN} == arm-iar ]]; then
35+
wget --progress=dot:giga https://netstorage.iar.com/FileStore/STANDARD/001/003/926/iar-lmsc-tools_1.8_amd64.deb -O ~/cache/${TOOLCHAIN}/iar-lmsc-tools.deb
36+
wget --progress=dot:giga ${TOOLCHAIN_URL} -O ~/cache/${TOOLCHAIN}/cxarm.deb
3437
else
35-
wget --progress=dot:giga ${{ inputs.toolchain_url }} -O toolchain.tar.gz
36-
tar -C ~/cache/${{ inputs.toolchain }} -xaf toolchain.tar.gz
38+
wget --progress=dot:giga ${TOOLCHAIN_URL} -O toolchain.tar.gz
39+
tar -C ~/cache/${TOOLCHAIN} -xaf toolchain.tar.gz
3740
fi
3841
shell: bash
3942

4043
- name: Setup Toolchain
44+
env:
45+
TOOLCHAIN: ${{ inputs.toolchain }}
4146
run: |
42-
if [[ ${{ inputs.toolchain }} == arm-iar ]]; then
43-
sudo dpkg -i ~/cache/${{ inputs.toolchain }}/iar-lmsc-tools.deb
44-
sudo apt install -y ~/cache/${{ inputs.toolchain }}/cxarm.deb
47+
if [[ ${TOOLCHAIN} == arm-iar ]]; then
48+
sudo dpkg -i ~/cache/${TOOLCHAIN}/iar-lmsc-tools.deb
49+
sudo apt install -y ~/cache/${TOOLCHAIN}/cxarm.deb
4550
echo >> $GITHUB_PATH "/opt/iar/cxarm/arm/bin"
4651
else
47-
echo >> $GITHUB_PATH `echo ~/cache/${{ inputs.toolchain }}/*/bin`
52+
echo >> $GITHUB_PATH `echo ~/cache/${TOOLCHAIN}/*/bin`
4853
fi
4954
shell: bash

.github/actions/setup_toolchain/espressif/action.yml

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,8 +13,10 @@ runs:
1313
using: "composite"
1414
steps:
1515
- name: Set DOCKER_ESP_IDF
16+
env:
17+
TOOLCHAIN: ${{ inputs.toolchain }}
1618
run: |
17-
DOCKER_ESP_IDF=$HOME/cache/${{ inputs.toolchain }}/docker_image.tar
19+
DOCKER_ESP_IDF=$HOME/cache/${TOOLCHAIN}/docker_image.tar
1820
echo "DOCKER_ESP_IDF=$DOCKER_ESP_IDF" >> $GITHUB_ENV
1921
shell: bash
2022

@@ -27,10 +29,12 @@ runs:
2729

2830
- name: Pull and Save Docker Image
2931
if: steps.cache-toolchain-espressif.outputs.cache-hit != 'true'
32+
env:
33+
TOOLCHAIN_VERSION: ${{ inputs.toolchain_version }}
3034
run: |
31-
docker pull espressif/idf:${{ inputs.toolchain_version }}
35+
docker pull espressif/idf:${TOOLCHAIN_VERSION}
3236
mkdir -p $(dirname $DOCKER_ESP_IDF)
33-
docker save -o $DOCKER_ESP_IDF espressif/idf:${{ inputs.toolchain_version }}
37+
docker save -o $DOCKER_ESP_IDF espressif/idf:${TOOLCHAIN_VERSION}
3438
du -sh $DOCKER_ESP_IDF
3539
shell: bash
3640

@@ -42,7 +46,9 @@ runs:
4246
shell: bash
4347

4448
- name: Tag Local Image
49+
env:
50+
TOOLCHAIN_VERSION: ${{ inputs.toolchain_version }}
4551
run: |
46-
docker tag espressif/idf:${{ inputs.toolchain_version }} espressif/idf:tinyusb
52+
docker tag espressif/idf:${TOOLCHAIN_VERSION} espressif/idf:tinyusb
4753
docker images
4854
shell: bash

0 commit comments

Comments
 (0)