Skip to content

Potential fix for code scanning alert no. 1: Code injection #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fewtarius merged 1 commit into from
Feb 15, 2026
Merged

Potential fix for code scanning alert no. 1: Code injection #5

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 14 additions & 10 deletions .github/workflows/update-homebrew-cask.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,15 +28,19 @@
steps:
- name: Extract version from workflow run
id: version
env:
EVENT_NAME: ${{ github.event_name }}
INPUT_VERSION: ${{ github.event.inputs.version }}
HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
run: |
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
VERSION="${{ github.event.inputs.version }}"
if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
VERSION="$INPUT_VERSION"
else
# Get the tag from the workflow run
# The release workflow runs on tag push, so we extract from head_branch
VERSION="${{ github.event.workflow_run.head_branch }}"
VERSION="$HEAD_BRANCH"
fi
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
echo "Release version: $VERSION"

- name: Get DMG asset details
Expand All @@ -44,7 +48,7 @@
uses: actions/github-script@v7
with:
script: |
const version = '${{ steps.version.outputs.version }}';

Check failure

Code scanning / CodeQL

Code injection Critical

Potential code injection in
${ steps.version.outputs.version }
Loading
, which may be controlled by an external user (
workflow_run
Loading
).

// Get release by tag (works for both release trigger and manual dispatch)
const release = await github.rest.repos.getReleaseByTag({
Expand Down Expand Up @@ -79,16 +83,16 @@
uses: actions/checkout@v4
with:
repository: SyntheticAutonomicMind/homebrew-SAM
env:
VERSION: ${{ steps.version.outputs.version }}
SHA256: ${{ steps.hash.outputs.sha256 }}
DMG_URL: ${{ steps.asset.outputs.url }}
token: ${{ secrets.HOMEBREW_PAT }}
path: homebrew

- name: Update SAM cask
working-directory: homebrew
run: |
VERSION="${{ steps.version.outputs.version }}"
SHA256="${{ steps.hash.outputs.sha256 }}"
DMG_URL="${{ steps.asset.outputs.url }}"

echo "Updating Casks/sam.rb"
echo " Version: $VERSION"
echo " SHA256: $SHA256"
Expand All @@ -99,6 +103,8 @@
-e "s|sha256 \"[^\"]*\"|sha256 \"$SHA256\"|" \
Casks/sam.rb

env:
VERSION: ${{ steps.version.outputs.version }}
# Show the updated file
echo "Updated Casks/sam.rb:"
head -10 Casks/sam.rb
Expand All @@ -109,8 +115,6 @@
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"

VERSION="${{ steps.version.outputs.version }}"

git add Casks/sam.rb
if git diff --staged --quiet; then
echo "No changes detected"
Expand Down