-
Notifications
You must be signed in to change notification settings - Fork 508
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
✨ Check for secrets in pull_request_target (#1634)
* checks/dangerous_workflow.go: add pull_request_target support for secrets * missing files * linter
- Loading branch information
1 parent
e3637c9
commit e7fd58d
Showing
8 changed files
with
316 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
52 changes: 52 additions & 0 deletions
52
...ata/.github/workflows/github-workflow-dangerous-pattern-secret-env-checkout-noref-prt.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
name: Close issue on Jira | ||
|
||
on: | ||
pull_request_target | ||
|
||
env: | ||
BLA: ${{ secrets.SE00 }} | ||
|
||
jobs: | ||
test1: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Use in with toJson | ||
uses: some/action@main | ||
with: | ||
some-args: ${{ toJson(secrets.SE12) }} | ||
|
||
- name: Use in run toJson | ||
run: echo "${{ toJson(secrets.SE13) }}" | ||
test2: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Use in env toJson | ||
env: | ||
GITHUB_CONTEXT: ${{ secrets.SE21 }} | ||
run: echo "$GITHUB_CONTEXT" | ||
|
||
- name: Use in with toJson | ||
uses: some/[email protected] | ||
with: | ||
some-args: ${{ secrets.SE22 }} | ||
run: echo "$GITHUB_CONTEXT" | ||
|
||
- name: Use in run toJson | ||
run: echo "${{ secrets.SE23 }}" | ||
test3: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Use in env toJson | ||
env: | ||
GITHUB_CONTEXT: ${{ secrets.SE31 }} | ||
run: echo "$GITHUB_CONTEXT" | ||
|
||
- name: Use in with toJson | ||
uses: some/[email protected] | ||
with: | ||
some-args: ${{ secrets.SE32 }} | ||
run: echo "$GITHUB_CONTEXT" | ||
|
||
- name: Use in run toJson | ||
run: echo "${{ secrets.SE33 }}" | ||
|
63 changes: 63 additions & 0 deletions
63
...stdata/.github/workflows/github-workflow-dangerous-pattern-secret-env-environment-prt.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
name: Close issue on Jira | ||
|
||
on: | ||
pull_request_target | ||
|
||
env: | ||
BLA: ${{ secrets.SE00 }} | ||
|
||
jobs: | ||
test1: | ||
runs-on: ubuntu-latest | ||
environment: protected | ||
steps: | ||
- name: Use in with toJson | ||
uses: some/action@main | ||
with: | ||
some-args: ${{ toJson(secrets.SE12) }} | ||
|
||
- name: Use in run toJson | ||
run: echo "${{ toJson(secrets.SE13) }}" | ||
|
||
- uses: actions/[email protected] | ||
with: | ||
ref: ${{ github.event.pull_request.head.sha }} | ||
test2: | ||
runs-on: ubuntu-latest | ||
environment: protected | ||
steps: | ||
- name: Use in env toJson | ||
env: | ||
GITHUB_CONTEXT: ${{ secrets.SE21 }} | ||
run: echo "$GITHUB_CONTEXT" | ||
|
||
- name: Use in with toJson | ||
uses: some/[email protected] | ||
with: | ||
some-args: ${{ secrets.SE22 }} | ||
run: echo "$GITHUB_CONTEXT" | ||
|
||
- name: Use in run toJson | ||
run: echo "${{ secrets.SE23 }}" | ||
|
||
- uses: actions/[email protected] | ||
test3: | ||
runs-on: ubuntu-latest | ||
environment: protected | ||
steps: | ||
- name: Use in env toJson | ||
env: | ||
GITHUB_CONTEXT: ${{ secrets.SE31 }} | ||
run: echo "$GITHUB_CONTEXT" | ||
|
||
- name: Use in with toJson | ||
uses: some/[email protected] | ||
with: | ||
some-args: ${{ secrets.SE32 }} | ||
run: echo "$GITHUB_CONTEXT" | ||
|
||
- name: Use in run toJson | ||
run: echo "${{ secrets.SE33 }}" | ||
|
||
- uses: actions/[email protected] | ||
|
Oops, something went wrong.