Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection
To avoid this, instead use environment variables to safely store the
values of the template expansions.
Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
sed scripts are capable of doing file I/O and executing arbitrary
commands. The `--sandbox` option prevents this by rejecting sed commands
with such capabilities; it's good practice to use this whenever the sed
script is dynamically generated (e.g. if it involves a variable
expansion).
Also fixed an error in one sed script where `.*` had been placed outside
of the quoted string (and would therefore be subject to shell globbing),
presumably due to single-quotes having been changed to double-quotes at
some point in the past.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Explicitly set `persist-credentials: true` for uses of
`actions/checkout` where it's needed (when the job does git operations
using the stored credentials) and `persist-credentials: false` where the
stored credentials are not later used.
This reduces the risk of cached credentials accidentally being leaked
via artifacts.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Also remove some unnecessary permissions:
* The notification job in release-artifacts.yml only needs to read repo
contents, not write contents and actions.
* All jobs in release.yml except "Create release" and "Update podman.io"
only need to read repo contents. "Update podman.io" only needs to
write repo contents and pull requests.
* Likewise, permissions for update-podmanio.yml can be restricted to
only writing repo contents and pull requests.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
This github action uses the certficate_generator.html from automation
repo to generate the badge for first time contributors and commits the
badge to the same repo which will be commented on the PR once its get
merged.
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
