From 7db2f45b07b6becc395f2754907ad6eea8e86213 Mon Sep 17 00:00:00 2001 From: Bobby Carp Date: Tue, 10 Mar 2026 22:58:52 +0000 Subject: [PATCH] fix(workflows): Prevent shell injection in fast-revert workflow Use environment variables instead of direct GitHub context interpolation in shell commands to prevent potential script injection attacks. Refs: https://linear.app/getsentry/issue/DI-967 Co-Authored-By: Claude --- .github/workflows/fast-revert.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/fast-revert.yml b/.github/workflows/fast-revert.yml index 64674e1ec25..7561d36c2ca 100644 --- a/.github/workflows/fast-revert.yml +++ b/.github/workflows/fast-revert.yml @@ -30,11 +30,17 @@ jobs: committer_email: bot@sentry.io token: ${{ secrets.BUMP_SENTRY_TOKEN }} - name: comment on failure + env: + GH_TOKEN: ${{ secrets.BUMP_SENTRY_TOKEN }} + REPO: ${{ github.repository }} + RUN_ID: ${{ github.run_id }} + REPO_ID: ${{ github.event.repository.id }} + ISSUE_NUMBER: ${{ github.event.number || github.event.inputs.pr }} run: | curl \ --silent \ -X POST \ - -H 'Authorization: token ${{ secrets.BUMP_SENTRY_TOKEN }}' \ - -d'{"body": "revert failed (conflict? already reverted?) -- [check the logs](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})"}' \ - https://api.github.com/repositories/${{ github.event.repository.id }}/issues/${{ github.event.number || github.event.inputs.pr }}/comments + -H "Authorization: token $GH_TOKEN" \ + -d "{\"body\": \"revert failed (conflict? already reverted?) -- [check the logs](https://github.com/$REPO/actions/runs/$RUN_ID)\"}" \ + "https://api.github.com/repositories/$REPO_ID/issues/$ISSUE_NUMBER/comments" if: failure()