From 7bc0161e224b0a67a12676facc6c047695ea2ae8 Mon Sep 17 00:00:00 2001 From: Johnpaul Date: Fri, 16 Jan 2026 22:28:31 +0100 Subject: [PATCH] ci: use env vars to prevent script injection in PR comment steps --- .github/workflows/ci-tests-e2e.yaml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci-tests-e2e.yaml b/.github/workflows/ci-tests-e2e.yaml index 64fa4224b..4777b04ec 100644 --- a/.github/workflows/ci-tests-e2e.yaml +++ b/.github/workflows/ci-tests-e2e.yaml @@ -250,13 +250,16 @@ jobs: - name: Post starting comment env: GITHUB_TOKEN: ${{ github.token }} + PR_NUMBER: ${{ needs.get-pr-info.outputs.pr_number }} + BRANCH: ${{ needs.get-pr-info.outputs.branch }} + START_TIME: ${{ steps.start-time.outputs.time }} run: | chmod +x scripts/cicd/pr-playwright-deploy-and-comment.sh ./scripts/cicd/pr-playwright-deploy-and-comment.sh \ - "${{ needs.get-pr-info.outputs.pr_number }}" \ - "${{ needs.get-pr-info.outputs.branch }}" \ + "$PR_NUMBER" \ + "$BRANCH" \ "starting" \ - "${{ steps.start-time.outputs.time }}" + "$START_TIME" # Deploy and comment for non-forked PRs only deploy-and-comment: @@ -284,9 +287,11 @@ jobs: CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} GITHUB_TOKEN: ${{ github.token }} GITHUB_SHA: ${{ github.event.pull_request.head.sha || github.event.workflow_run.head_sha }} + PR_NUMBER: ${{ needs.get-pr-info.outputs.pr_number }} + BRANCH: ${{ needs.get-pr-info.outputs.branch }} run: | bash ./scripts/cicd/pr-playwright-deploy-and-comment.sh \ - "${{ needs.get-pr-info.outputs.pr_number }}" \ - "${{ needs.get-pr-info.outputs.branch }}" \ + "$PR_NUMBER" \ + "$BRANCH" \ "completed" #### END Deployment and commenting (non-forked PRs only)