diff options
| author | Marc Cornellà <marc@mcornella.com> | 2025-09-27 20:00:50 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-09-27 20:00:50 +0200 |
| commit | 242e2faa51675494cbfa78a81f3ff47d81039863 (patch) | |
| tree | 77aa76eda5e1ebad168e219691f88aa09f876757 /.github/workflows/scorecard.yml | |
| parent | 6d5482ef59d1a3ae3b40b4583317ebe802f81447 (diff) | |
| download | zsh-242e2faa51675494cbfa78a81f3ff47d81039863.tar.gz zsh-242e2faa51675494cbfa78a81f3ff47d81039863.tar.bz2 zsh-242e2faa51675494cbfa78a81f3ff47d81039863.zip | |
ci: improve security in project.yml workflow (#13329)
There is no inherent security vulnerability in the workflow, but there were
certain practices that increased latent risk. In this commit, we:
- Explicitly bind app token for each step that needs it, instead of setting it for
all steps after "Store app token"
- Refactor "classify" step, to not rely on files passed around, and instead uses
only awk script.
- Remove all instances of template injection within `run` scripts. There was nothing
dangerous, but the practice is unsafe.
- Sanitize all unwanted characters from PR plugin and theme names.
References: W2M1-06 W2M1-07
Diffstat (limited to '.github/workflows/scorecard.yml')
0 files changed, 0 insertions, 0 deletions