Skip to content

Commit 445336a

Browse files
ActoryOuActoryOu
authored
Follow GitHub recommendation to update release.yml (FreeRTOS#1178)
GitHub recommends to store user inputs in environments variables and then use them in scripts. This PR updates the code as per the GitHub recommendation. Details here - https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections.
1 parent 7d76dce commit 445336a

File tree

2 files changed

+34
-14
lines changed

2 files changed

+34
-14
lines changed

.github/workflows/auto-release.yml

Lines changed: 33 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -44,37 +44,49 @@ jobs:
4444
fetch-depth: 0
4545

4646
- name: Configure git identity
47+
env:
48+
ACTOR: ${{ github.actor }}
4749
run: |
48-
git config --global user.name ${{ github.actor }}
49-
git config --global user.email ${{ github.actor }}@users.noreply.github.com
50+
git config --global user.name "$ACTOR"
51+
git config --global user.email "$ACTOR"@users.noreply.github.com
5052
5153
- name: create a new branch that references commit id
54+
env:
55+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
56+
COMMIT_ID: ${{ github.event.inputs.commit_id }}
5257
working-directory: ./local_kernel
5358
run: |
54-
git checkout -b ${{ github.event.inputs.version_number }} ${{ github.event.inputs.commit_id }}
59+
git checkout -b "$VERSION_NUMBER" "$COMMIT_ID"
5560
echo "COMMIT_SHA_1=$(git rev-parse HEAD)" >> $GITHUB_ENV
5661
5762
- name: Update source files with version info
63+
env:
64+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
65+
MAIN_BR_VERSION_NUMBER: ${{ github.event.inputs.main_br_version }}
66+
COMMIT_SHA_1: ${{ env.COMMIT_SHA_1 }}
67+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
5868
run: |
5969
# Install deps and run
6070
pip install -r ./tools/.github/scripts/release-requirements.txt
61-
./tools/.github/scripts/update_src_version.py FreeRTOS --kernel-repo-path=local_kernel --kernel-commit=${{ env.COMMIT_SHA_1 }} --new-kernel-version=${{ github.event.inputs.version_number }} --new-kernel-main-br-version=${{ github.event.inputs.main_br_version }}
71+
./tools/.github/scripts/update_src_version.py FreeRTOS --kernel-repo-path=local_kernel --kernel-commit="$COMMIT_SHA_1" --new-kernel-version="$VERSION_NUMBER" --new-kernel-main-br-version="$MAIN_BR_VERSION_NUMBER"
6272
exit $?
63-
env:
64-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
6573
6674
- name : Update version number in manifest.yml
75+
env:
76+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
6777
working-directory: ./local_kernel
6878
run: |
69-
./.github/scripts/manifest_updater.py -v ${{ github.event.inputs.version_number }}
79+
./.github/scripts/manifest_updater.py -v "$VERSION_NUMBER"
7080
exit $?
7181
7282
- name : Commit version number change in manifest.yml
83+
env:
84+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
7385
working-directory: ./local_kernel
7486
run: |
7587
git add .
7688
git commit -m '[AUTO][RELEASE]: Update version number in manifest.yml'
77-
git push -u origin ${{ github.event.inputs.version_number }}
89+
git push -u origin "$VERSION_NUMBER"
7890
7991
- name: Generate SBOM
8092
uses: FreeRTOS/CI-CD-Github-Actions/sbom-generator@main
@@ -83,24 +95,32 @@ jobs:
8395
source_path: ./
8496

8597
- name: commit SBOM file
98+
env:
99+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
86100
working-directory: ./local_kernel
87101
run: |
88102
git add .
89103
git commit -m '[AUTO][RELEASE]: Update SBOM'
90-
git push -u origin ${{ github.event.inputs.version_number }}
104+
git push -u origin "$VERSION_NUMBER"
91105
echo "COMMIT_SHA_2=$(git rev-parse HEAD)" >> $GITHUB_ENV
92106
93107
- name: Release
108+
env:
109+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
110+
MAIN_BR_VERSION_NUMBER: ${{ github.event.inputs.main_br_version }}
111+
COMMIT_SHA_2: ${{ env.COMMIT_SHA_2 }}
112+
REPO_OWNER: ${{ github.repository_owner }}
113+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
94114
run: |
95115
# Install deps and run
96116
pip install -r ./tools/.github/scripts/release-requirements.txt
97-
./tools/.github/scripts/release.py ${{ github.repository_owner }} --kernel-repo-path=local_kernel --kernel-commit=${{ env.COMMIT_SHA_2 }} --new-kernel-version=${{ github.event.inputs.version_number }} --new-kernel-main-br-version=${{ github.event.inputs.main_br_version }}
117+
./tools/.github/scripts/release.py "$REPO_OWNER" --kernel-repo-path=local_kernel --kernel-commit="$COMMIT_SHA_2" --new-kernel-version="$VERSION_NUMBER" --new-kernel-main-br-version="$MAIN_BR_VERSION_NUMBER"
98118
exit $?
99-
env:
100-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
101119
102120
- name: Cleanup
121+
env:
122+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
103123
working-directory: ./local_kernel
104124
run: |
105125
# Delete the branch created for Tag by SBOM generator
106-
git push -u origin --delete ${{ github.event.inputs.version_number }}
126+
git push -u origin --delete "$VERSION_NUMBER"

tasks.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3882,7 +3882,7 @@ void vTaskSuspendAll( void )
38823882
/* This must never be called from inside a critical section. */
38833883
configASSERT( portGET_CRITICAL_NESTING_COUNT() == 0 );
38843884

3885-
/* portSOFRWARE_BARRIER() is only implemented for emulated/simulated ports that
3885+
/* portSOFTWARE_BARRIER() is only implemented for emulated/simulated ports that
38863886
* do not otherwise exhibit real time behaviour. */
38873887
portSOFTWARE_BARRIER();
38883888

0 commit comments

Comments
 (0)