github-env: refinements

[woodruffw]

The github-env audit merged in #192 is barebones. Some things we should do to improve it:

• Use a regex to match suspicious >> $GITHUB_ENV shell lines; this won't be perfect, but it'll avoid false positives like echo $GITHUB_ENV.
  • Candidate expression: ^.+\s*>>?\s*"?\$\{?GITHUB_ENV\}?"?.*$
  • We should also support PowerShell run: bodies, which are their own mess.
  • feat: improve precision for github-env #199
• Handle actions/github-script bodies as well, since people are likely to modify GITHUB_ENV there too.

[woodruffw]

For PowerShell, we need to detect patterns like ... | Out-File -FilePath $env:GITHUB_ENV -Append and ... >> $env:GITHUB_ENV.

Edit: As well as cursed things like ${env:GITHUB_ENV} = ...

Edit 2: $env:GITHUB_ENV is also case insensitive, at least on Windows.

[woodruffw]

Another, more serious option here would be to use tree-sitter grammars as necessary:

• https://crates.io/crates/tree-sitter-bash
• https://github.com/airbus-cert/tree-sitter-powershell (no Rust crate yet)

Edit: see airbus-cert/tree-sitter-powershell#9.

[ubiratansoares]

@woodruffw It seems that Python is also a shell option 🙀

[ubiratansoares]

@woodruffw I gave a try on tree-sitter-bash here. Hope it is in the right direction 🙂

[woodruffw]

@woodruffw It seems that Python is also a shell option 🙀

Oh yeah, it gets way worse 🙂 -- there's no way we'll end up being fully general here. But I bet we can come up with some good patterns there as well.

I gave a try on tree-sitter-bash here. Hope it is in the right direction

Thanks, that looks amazing! I'll do a more detailed review in a bit, but that approach of popping nodes from the stack is great.

[woodruffw]

shell: cmd is also a possibility, and in that case the pattern will look something like:

echo NAME=VAR >> %GITHUB_ENV%