Skip to content

Commit 5232b5f

Browse files
SamBarkerSamBarker
authored
Fix execution of sonar from branches within the same repo.
1 parent 601b32a commit 5232b5f

File tree

1 file changed

+15
-14
lines changed

1 file changed

+15
-14
lines changed

.github/workflows/sonar.yaml

Lines changed: 15 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -37,36 +37,37 @@ jobs:
3737
if: env.SONAR_TOKEN_SET == 'true'
3838
id: get_pr_data
3939
with:
40-
route: GET /repos/{full_name}/pulls/{number}
41-
number: ${{ steps.pr_number.outputs.content }}
42-
full_name: ${{ github.event.repository.full_name }}
40+
route: GET /repos/${{env.full_name}}/pulls/${{env.pr_number}}
4341
env:
4442
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
45-
- name: "sanitize head ref"
43+
pr_number: ${{ steps.pr_number.outputs.content }}
44+
full_name: ${{ github.event.repository.full_name }}
45+
- name: "Check for legal branch names"
4646
id: set_branch_name
47+
env:
48+
HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
4749
run: |
48-
head_ref="${{ github.event.workflow_run.head_repository.head_branch }}"
49-
50-
# Sanitize by replacing shell characters with -
51-
sanitized_head=$(echo ${head_ref} | sed 's/[\(\$\)]/-/g')
52-
53-
echo "sanitized_head_ref=${sanitized_head}" >> $GITHUB_ENV
50+
if [[ ${HEAD_BRANCH} =~ [\(\$\)\;]+ ]];
51+
then
52+
echo "BRANCH '${HEAD_BRANCH}' contains potentially malicious characters as it matches BRANCH_REGEX '${BRANCH_REGEX}'"
53+
exit 1
54+
else
55+
echo "SANITIZED_HEAD_REF=${HEAD_BRANCH}" >> $GITHUB_ENV
56+
fi
5457
shell: bash
5558
- uses: actions/checkout@v6
5659
if: env.SONAR_TOKEN_SET == 'true'
5760
with:
5861
repository: ${{ github.event.workflow_run.head_repository.full_name }}
59-
ref: ${{env.sanitized_head_ref}}
62+
ref: ${{env.SANITIZED_HEAD_REF}}
6063
fetch-depth: 0
6164
- name: Checkout base branch
6265
if: env.SONAR_TOKEN_SET == 'true'
63-
env:
64-
HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
6566
run: |
6667
git remote add upstream ${{ github.event.repository.clone_url }}
6768
git fetch upstream
6869
git checkout -B ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} upstream/${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
69-
git checkout "${HEAD_BRANCH}"
70+
git checkout "origin/${{env.SANITIZED_HEAD_REF}}"
7071
git clean -ffdx && git reset --hard HEAD
7172
- name: Set up QEMU
7273
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130

0 commit comments

Comments
 (0)