Avoid potentialy user-controlled template expansion in workflows

QuLogic · QuLogic · commit 811b09005760 · 2024-12-07T03:01:44.000-05:00
I don't believe `do_no_merge.yml` is unsafe, but there's no need to echo
the environment variable (it'll either pass or fail based on the value
anyway.)

I also don't think the `circleci.yml` context variable is vulnerable,
but zizmor warns about it, and it's easy to avoid if turns out to be
vulnerable.
diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml
@@ -34,8 +34,10 @@ jobs:
 
       - name: Fetch result artifacts
         id: fetch-artifacts
+        env:
+          target_url: "${{ github.event.target_url }}"
         run: |
-          python .circleci/fetch_doc_logs.py "${{ github.event.target_url }}"
+          python .circleci/fetch_doc_logs.py "${target_url}"
 
       - name: Set up reviewdog
         if: "${{ steps.fetch-artifacts.outputs.count != 0 }}"
diff --git a/.github/workflows/do_not_merge.yml b/.github/workflows/do_not_merge.yml
@@ -23,7 +23,6 @@ jobs:
           echo "This PR cannot be merged because it has one of the following labels: "
           echo "* status: needs comment/discussion"
           echo "* status: waiting for other PR"
-          echo "${{env.has_tag}}"
           exit 1
       - name: Allow merging
         if: ${{'false' == env.has_tag}}
