Skip to content

fix(security): prevent command injection in GitHub Actions workflows [ENG-1131] #2214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(security): prevent command injection in GitHub Actions workflows [ENG-1131] #2214

wants to merge 1 commit into from

Conversation

@kevinmessiaen
Copy link
Member

@kevinmessiaen kevinmessiaen commented Oct 23, 2025

Description

  • Use environment variables instead of direct interpolation for user inputs
  • Add proper quoting for environment variables in shell commands
  • Fix create-release.yml: use INPUT_VERSION env var for inputs.version
  • Fix retry-workflow.yml: use RUN_ID env var for inputs.run_id

Resolves high-severity security vulnerability in workflow variable interpolation

Related Issue

Type of Change

  • 📚 Examples / docs / tutorials / dependencies update
  • 🔧 Bug fix (non-breaking change which fixes an issue)
  • 🥂 Improvement (non-breaking change which improves an existing feature)
  • 🚀 New feature (non-breaking change which adds functionality)
  • 💥 Breaking change (fix or feature that would cause existing functionality to change)
  • 🔐 Security fix

Checklist

  • I've read the CODE_OF_CONDUCT.md document.
  • I've read the CONTRIBUTING.md guide.
  • I've written tests for all new methods and classes that I created.
  • I've written the docstring in Google format for all the methods and classes that I used.
  • I've updated the pdm.lock running pdm update-lock (only applicable when pyproject.toml has been
    modified)

@kevinmessiaen
fix(security): prevent command injection in GitHub Actions workflows
aba8dd0 
- Use environment variables instead of direct interpolation for user inputs
- Add proper quoting for environment variables in shell commands
- Fix create-release.yml: use INPUT_VERSION env var for inputs.version
- Fix retry-workflow.yml: use RUN_ID env var for inputs.run_id

Resolves high-severity security vulnerability in workflow variable interpolation
@kevinmessiaen kevinmessiaen requested a review from mattbit October 23, 2025 10:00
@linear
Copy link

linear bot commented Oct 23, 2025

ENG-1081 Use good practices for CI workflow var interpolation

@sonarqubecloud
Copy link

sonarqubecloud bot commented Oct 23, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@kevinmessiaen kevinmessiaen changed the title fix(security): prevent command injection in GitHub Actions workflows fix(security): prevent command injection in GitHub Actions workflows [ENG-1131] Nov 6, 2025
@linear
Copy link

linear bot commented Nov 6, 2025

ENG-1131 Mitigate script injection in `giskard-oss` CI

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattbit mattbit Awaiting requested review from mattbit

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kevinmessiaen