Skip to content

CI: fix template-injection findings in GitHub Actions workflows#22732

Open
jorgsowa wants to merge 1 commit into
php:PHP-8.4from
jorgsowa:fix-workflow-template-injection
Open

CI: fix template-injection findings in GitHub Actions workflows#22732
jorgsowa wants to merge 1 commit into
php:PHP-8.4from
jorgsowa:fix-workflow-template-injection

Conversation

@jorgsowa

@jorgsowa jorgsowa commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

zizmor flagged several workflow steps that expand untrusted ${{ }} expressions directly into run: shell scripts. Route these values through env:.

I can also revert the change for safe GitHub-provided values, like github.repository.

zizmor flagged several workflow steps that expand untrusted `${{ }}`
expressions directly into `run:` shell scripts. Route these values
through `env:` instead so they're substituted as shell variables
rather than interpolated into the script text.

@TimWolla TimWolla left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm lukewarm on this entire change. The jobs run with minimal permissions (particularly on the pull_request trigger). Anyone who is able to inject untrusted values, will also be able to just execute arbitrary code by modifying the workflow and / or the Makefile.

env:
EVENT_NAME: ${{ github.event_name }}
RUN_ATTEMPT: ${{ github.run_attempt }}
REF: ${{ github.event_name == 'pull_request' && github.ref || github.ref_name }}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unrelated, but this could use the case() function.

@jorgsowa

Copy link
Copy Markdown
Contributor Author

I understand you and agree. The attack vector is very limited, but this hardening is becoming pretty standard. The end goal should be secure workflow and easy configuration. I tend to apply everything that zizmor warns about, to not care about customization and to avoid any divagation if the change is harmful or not when there are no strong opinions.

I can compare it with the formatter, i.e. Prettier. Minimal configuration, code formatted and no one cares anymore about the formatting, because it's standarized.

My recommandation is to apply full zizmor in CI, add dependabot/renovate and zizmor-action to the CI pipeline. I can do it in separate commits if you want, or you can close the PR. I can accept any decision.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants