privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(actionlint): resolve untrusted github.head_ref and undefined secrets

Browse Source 
- Add env vars for HEAD_REF and BASE_REF in detect-pr-pipeline.yaml to avoid
  using github.head_ref/github.base_ref directly in inline scripts (actionlint rule)
- Fix plugin-release.yaml to use secrets.GITEA_RELEASE_TOKEN instead of
  undefined secrets.GITEA_TOKEN (3 occurrences)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Chris Farhood
2026-05-16 04:35:11 +00:00
committed by Gandalf the Greybeard [agent]
parent 42e3b8d08f
commit af703ea161
2 changed files with 18 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/plugin-release.yaml
+3 -3
View File
@@ -39,7 +39,7 @@ jobs:
- name: Verify GITEA_RELEASE_TOKEN is configured
id: check
env:
GITEA_RELEASE_TOKEN: ${{ secrets.GITEA_TOKEN }}
GITEA_RELEASE_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
run: |
if [ -z "$GITEA_RELEASE_TOKEN" ]; then
echo "::notice::GITEA_RELEASE_TOKEN org secret is not configured (see PRI-1533). Release skipped — no artifacts will be created."
@@ -65,7 +65,7 @@ jobs:
- name: Check write permissions via API
id: check
env:
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
REPO: ${{ github.repository }}
run: |
HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
@@ -101,7 +101,7 @@ jobs:
- name: Check if tag already exists
id: check
env:
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
REPO: ${{ github.repository }}
run: |
HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \