fix(actionlint): resolve untrusted github.head_ref and undefined secrets

- Add env vars for HEAD_REF and BASE_REF in detect-pr-pipeline.yaml to avoid using github.head_ref/github.base_ref directly in inline scripts (actionlint rule) - Fix plugin-release.yaml to use secrets.GITEA_RELEASE_TOKEN instead of undefined secrets.GITEA_TOKEN (3 occurrences) Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-16 04:35:11 +00:00
parent 42e3b8d08f
commit af703ea161
2 changed files with 18 additions and 10 deletions
@@ -14,12 +14,16 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 2

+    env:
+      HEAD_REF: ${{ github.head_ref }}
+      BASE_REF: ${{ github.base_ref }}
+
    steps:
      - name: Checkout
        run: |
          git clone --depth=1 "https://x-access-token:${{ secrets.GITEA_TOKEN }}@git.farh.net/${{ github.repository }}.git" .
-          git fetch origin "${{ github.base_ref }}" --depth=1
-          git fetch origin "${{ github.head_ref }}" --depth=1
+          git fetch origin "$BASE_REF" --depth=1
+          git fetch origin "$HEAD_REF" --depth=1
          git checkout "${{ github.sha }}"

      - name: Run detection tests
@@ -29,6 +33,10 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 5

+    env:
+      HEAD_REF: ${{ github.head_ref }}
+      BASE_REF: ${{ github.base_ref }}
+
    outputs:
      pipeline-type: ${{ steps.detect.outputs.pipeline-type }}

@@ -36,16 +44,16 @@ jobs:
      - name: Checkout
        run: |
          git clone --depth=1 "https://x-access-token:${{ secrets.GITEA_TOKEN }}@git.farh.net/${{ github.repository }}.git" .
-          git fetch origin "${{ github.base_ref }}" --depth=1
-          git fetch origin "${{ github.head_ref }}" --depth=1
+          git fetch origin "$BASE_REF" --depth=1
+          git fetch origin "$HEAD_REF" --depth=1
          git checkout "${{ github.sha }}"

      - name: Get changed files
        run: |
          mkdir -p /tmp/pr-detect
-          git fetch origin "${{ github.base_ref }}" --depth=1 2>/dev/null
-          git fetch origin "${{ github.head_ref }}" --depth=1 2>/dev/null
-          git diff --name-only "origin/${{ github.base_ref }}" "${{ github.head_ref }}" > /tmp/pr-detect/changed_files.txt
+          git fetch origin "$BASE_REF" --depth=1 2>/dev/null
+          git fetch origin "$HEAD_REF" --depth=1 2>/dev/null
+          git diff --name-only "origin/$BASE_REF" "origin/$HEAD_REF" > /tmp/pr-detect/changed_files.txt
          echo "Files found: $(wc -l < /tmp/pr-detect/changed_files.txt)"
          cat /tmp/pr-detect/changed_files.txt

@@ -39,7 +39,7 @@ jobs:
      - name: Verify GITEA_RELEASE_TOKEN is configured
        id: check
        env:
-          GITEA_RELEASE_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_RELEASE_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
        run: |
          if [ -z "$GITEA_RELEASE_TOKEN" ]; then
            echo "::notice::GITEA_RELEASE_TOKEN org secret is not configured (see PRI-1533). Release skipped — no artifacts will be created."
@@ -65,7 +65,7 @@ jobs:
      - name: Check write permissions via API
        id: check
        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
          REPO: ${{ github.repository }}
        run: |
          HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
@@ -101,7 +101,7 @@ jobs:
      - name: Check if tag already exists
        id: check
        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
          REPO: ${{ github.repository }}
        run: |
          HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \