Conversation
tangrufus
added
enhancement
There was a problem hiding this comment.
Pull request overview
This PR addresses GitHub Actions code-injection alerts by removing or hardening workflow inputs that were previously interpolated directly into run: commands.
Changes:
- Removed the reusable-workflow input that allowed an arbitrary phpstan command to be executed.
- Replaced direct
${{ github.* }}interpolation ingo listcommands with quoted GitHub-provided environment variables. - Routed
pint-extra-pathsthrough an environment variable to avoid direct expression interpolation in therun:line.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/lint-php.yml | Removes phpstan-command input and hardcodes the phpstan invocation to avoid command injection. |
| .github/workflows/go-proxy.yml | Uses $GITHUB_* env vars (quoted) instead of ${{ }} interpolation in run: commands. |
| .github/workflows/format-php.yml | Passes pint-extra-paths via env var and references it in the shell command to mitigate injection. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - run: pint "$PINT_EXTRA_PATHS" | ||
| if: ${{ inputs.pint-extra-paths != '' }} | ||
| shell: bash | ||
| env: | ||
| PINT_EXTRA_PATHS: ${{ inputs.pint-extra-paths }} |
There was a problem hiding this comment.
pint "$PINT_EXTRA_PATHS" changes behavior compared to the previous pint ${{ inputs.pint-extra-paths }}: quoting prevents word-splitting and glob expansion, so callers can no longer pass multiple paths/patterns (e.g., space-separated paths or globs). If multi-path support is needed, consider expanding the env var into a bash array (or otherwise parsing/validating) and passing the resulting arguments to pint without re-introducing expression interpolation.
| workflow_call: | ||
| inputs: | ||
| # phpstan | ||
| phpstan: | ||
| description: Whether to run phpstan | ||
| default: true | ||
| type: boolean |
There was a problem hiding this comment.
Removing the phpstan-command input is a breaking change for this reusable workflow: any existing callers passing that input will now fail validation with an “unexpected input” error. If backward compatibility matters, consider keeping the input but mapping it to a constrained/allowlisted set of commands (or document the breaking change and require callers to update).
tangrufus
changed the title
phpstan-command
No description provided.