public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ci: ensure release branches originate from the local repository and reduce residual risk of command injection (#3337) 

Signed-off-by: Jan Larwig <jan@larwig.com>
This commit is contained in:
Jan Larwig 2026-02-12 21:18:45 +01:00 committed by GitHub
parent 3a55dadbe8
commit e7724f3a74
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.github/workflows/publish-release.yml vendored
View File

@ -14,7 +14,7 @@ permissions:
jobs:
publish:
if: github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')
if: github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/') && github.event.pull_request.head.repo.full_name == github.repository
runs-on: ubuntu-latest
outputs:
tag: ${{ steps.tag.outputs.version }}
@ -27,14 +27,15 @@ jobs:
fetch-tags: true
- name: Tag release
env:
BRANCH: ${{ github.event.pull_request.head.ref }}
run: |
# Set up github-actions[bot] user
git config --local user.name "github-actions[bot]"
git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
# Get the version from the branch name
branch="${{ github.event.pull_request.head.ref }}"
version="${branch#release/}"
version="${BRANCH#release/}"
echo ${version}
# Tag and create release