-
-
Notifications
You must be signed in to change notification settings - Fork 56
ci: use envs in GHAs and pin versions #2178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
mdtro
commented
May 28, 2025
- Running these workflows is gated pretty well, but this mitigates the potential for a script injection attack by passing the input to an intermediary environment variable first.
- See https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#example-of-a-script-injection-attack for more details.
- Using version tags or no specifier at all can open us up to dependency attacks. Pinning the SHA is a strong mitigation.
- See: https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mdtro I noticed you updated quite a few variable references from double curly brace to single curly brace
e.g ${{ inputs.unity-version }}'
to "${UNITY_VERSION}"
Is that on purpose?
Yes, it is intentional. With double curly brackets Using single brackets |
Thanks for opening this. cc @getsentry/gdx @tustanivsky @vaind @jamescrosswell @limbonaut @bitsandfoxes something to keep in mind going forward |
Co-authored-by: Serhii Snitsaruk <limbonaut@pm.me>