diff --git a/.github/workflows/check-versioning.yml b/.github/workflows/check-versioning.yml index 07a517c38..c224d0206 100644 --- a/.github/workflows/check-versioning.yml +++ b/.github/workflows/check-versioning.yml @@ -59,6 +59,14 @@ jobs: with: persist-credentials: false + # Security: Checkout the trusted version.sh from main branch to prevent script injection + - if: startsWith(github.event_name, 'pull_request') + name: Checkout version.sh from main branch + run: | + git fetch origin main + git checkout origin/main -- version.sh + chmod +x version.sh + # Only run version check for PRs. If PR does NOT have "same version" label, then ensure that # version.txt is different from what is in main. - if: startsWith(github.event_name, 'pull_request') && !contains(github.event.pull_request.labels.*.name, 'same version') diff --git a/.github/workflows/update-versions.yml b/.github/workflows/update-versions.yml index 8e58b35a4..b956f0913 100644 --- a/.github/workflows/update-versions.yml +++ b/.github/workflows/update-versions.yml @@ -30,7 +30,7 @@ jobs: }) build: - if: ${{ github.event.issue.pull_request }} && contains(github.event.comment.body, '/version') + if: github.event.issue.pull_request && contains(github.event.comment.body, '/version') && (github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER') runs-on: ubuntu-latest steps: @@ -57,7 +57,14 @@ jobs: with: repository: ${{ fromJSON(steps.get-pr.outputs.result).head.repo.full_name }} ref: ${{ fromJSON(steps.get-pr.outputs.result).head.ref }} - + + # Security: Checkout the trusted version.sh from main branch to prevent script injection + - name: Checkout version.sh from main branch + run: | + git fetch origin main + git checkout origin/main -- version.sh + chmod +x version.sh + - name: Update version minor if: contains(github.event.comment.body, '/version minor') run: |