action.yml: use step-level env vars instead of direct vars in commands It seems unlikely that users would configure this action in a way to allow injection of malicious content into the commands we run, but better to be safe here, since GitHub Actions are a footgun with a hair trigger. Change-Id: I8d137a1f98f832c8d22506b309f20644fc74e4ec Reviewed-on: https://go-review.googlesource.com/c/govulncheck-action/+/797300 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Neal Patel <neal@golang.org> TryBot-Bypass: Roland Shoemaker <roland@golang.org> Auto-Submit: Roland Shoemaker <roland@golang.org> Commit-Queue: Roland Shoemaker <roland@golang.org>
diff --git a/action.yml b/action.yml index 7a33d71..6fe7e2c 100644 --- a/action.yml +++ b/action.yml
@@ -60,9 +60,18 @@ GOARCH: '' - if: inputs.output-file == '' name: Run govulncheck - run: govulncheck -C ${{ inputs.work-dir }} -format ${{ inputs.output-format }} ${{ inputs.go-package }} + run: govulncheck -C "$WORK_DIR" -format "$OUTPUT_FORMAT" "$GO_PACKAGE" shell: bash + env: + WORK_DIR: ${{ inputs.work-dir }} + OUTPUT_FORMAT: ${{ inputs.output-format }} + GO_PACKAGE: ${{ inputs.go-package }} - if: inputs.output-file != '' name: Run govulncheck and save to file - run: govulncheck -C ${{ inputs.work-dir }} -format ${{ inputs.output-format }} ${{ inputs.go-package }} > ${{ inputs.output-file }} + run: govulncheck -C "$WORK_DIR" -format "$OUTPUT_FORMAT" "$GO_PACKAGE" > "$OUTPUT_FILE" shell: bash + env: + WORK_DIR: ${{ inputs.work-dir }} + OUTPUT_FORMAT: ${{ inputs.output-format }} + GO_PACKAGE: ${{ inputs.go-package }} + OUTPUT_FILE: ${{ inputs.output-file }}