Temporary fix for command injection vulnerability in GHA workflow. (#13600)

Long term fix will require writing our own action to scan the PR body, because of environment variable size limits.
2022-08-31 14:23:59 -04:00 · 2022-08-31 14:23:59 -04:00 · 0d4ff34e1a
parent a544d51915
commit 0d4ff34e1a
1 changed files with 4 additions and 1 deletions
--- a/.github/workflows/packaging.yml
+++ b/.github/workflows/packaging.yml
@ -41,13 +41,16 @@ jobs:
      - name: Read build matrix
        id: set-matrix
        shell: python3 {0}
+        env:
+          PR_BODY: "${{ github.event.pull_request.body }}"
        run: |
          from ruamel.yaml import YAML
          import json
          import re
+          import os
          FULL_CI_REGEX = '/actions run full ci'
          ALWAYS_RUN_ARCHES = ["amd64", "x86_64"]
-          PR_BODY = """${{ github.event.pull_request.body }}"""
+          PR_BODY = os.environ['PR_BODY']
          yaml = YAML(typ='safe')
          entries = list()
          run_limited = False