From 3edbb1fbe93dd2cffb503b0bc9cb6cf0ce44adc7 Mon Sep 17 00:00:00 2001 From: Steffen Winter Date: Fri, 27 Mar 2026 00:26:17 +0100 Subject: [PATCH] ci: use environment variables to mitigate template injections --- .github/workflows/cmake-linux.yml | 15 +++++++++------ .github/workflows/continuous-build-linux.yml | 15 +++++++++------ .github/workflows/continuous-build-macos.yml | 5 ++++- 3 files changed, 22 insertions(+), 13 deletions(-) diff --git a/.github/workflows/cmake-linux.yml b/.github/workflows/cmake-linux.yml index 6a914bd4..531f7759 100644 --- a/.github/workflows/cmake-linux.yml +++ b/.github/workflows/cmake-linux.yml @@ -44,6 +44,9 @@ jobs: version: 22 - compiler: gcc version: 14 + env: + COMPILER: "${{ matrix.compiler }}" + VERSION: "${{ matrix.version }}" steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -51,18 +54,18 @@ jobs: - name: Install clang ${{ matrix.version }} if: ${{ matrix.compiler == 'clang' }} - run: wget -qO - https://apt.llvm.org/llvm.sh | sudo bash -s -- ${{ matrix.version }} all + run: wget -qO - https://apt.llvm.org/llvm.sh | sudo bash -s -- ${VERSION} all - name: Configure run: | - if [[ "${{ matrix.compiler }}" == "clang" ]]; then - export CC=clang-${{ matrix.version }} - export CXX=clang++-${{ matrix.version }} + if [[ "${COMPILER}" == "clang" ]]; then + export CC=clang-${VERSION} + export CXX=clang++-${VERSION} export CXXFLAGS="-stdlib=libc++" export LDFLAGS="-fuse-ld=lld -rtlib=compiler-rt -unwindlib=libunwind" else - export CC=gcc-${{ matrix.version }} - export CXX=g++-${{ matrix.version }} + export CC=gcc-${VERSION} + export CXX=g++-${VERSION} fi cmake -B build -G Ninja -DCMAKE_BUILD_TYPE=Debug diff --git a/.github/workflows/continuous-build-linux.yml b/.github/workflows/continuous-build-linux.yml index 2af3c914..db3bd300 100644 --- a/.github/workflows/continuous-build-linux.yml +++ b/.github/workflows/continuous-build-linux.yml @@ -60,6 +60,8 @@ jobs: - riscv64-unknown-linux-musl - s390x-ibm-linux-musl - x86_64-unknown-linux-musl + env: + TOOLCHAIN: "${{ matrix.toolchain }}" steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -68,19 +70,20 @@ jobs: - name: Install cross toolchain run: | - wget -q -P /tmp https://github.com/cross-tools/musl-cross/releases/download/20260430/${{ matrix.toolchain }}.tar.xz - wget -q -P /tmp https://github.com/cross-tools/musl-cross/releases/download/20260430/${{ matrix.toolchain }}.tar.xz.sha256 + wget -q -P /tmp https://github.com/cross-tools/musl-cross/releases/download/20260430/${TOOLCHAIN}.tar.xz + wget -q -P /tmp https://github.com/cross-tools/musl-cross/releases/download/20260430/${TOOLCHAIN}.tar.xz.sha256 echo "$(cat /tmp/${{ matrix.toolchain }}.tar.xz.sha256) /tmp/${{ matrix.toolchain }}.tar.xz" | sha256sum --check --status mkdir -p /opt/x-tools/ - tar -xf /tmp/${{ matrix.toolchain }}.tar.xz -C /opt/x-tools + tar -xf /tmp/${TOOLCHAIN}.tar.xz -C /opt/x-tools - name: Compile - run: CXX=/opt/x-tools/${{ matrix.toolchain }}/bin/${{ matrix.toolchain }}-g++ make STATIC=true STRIP=true + run: CXX=/opt/x-tools/${TOOLCHAIN}/bin/${TOOLCHAIN}-g++ make STATIC=true STRIP=true - name: Create binary artifacts + env: + GITHUB_SHA: "${{ github.sha }}" run: | - TOOLCHAIN=${{ matrix.toolchain }} - GIT_HASH=$(git rev-parse --short "${{ github.sha }}") + GIT_HASH=$(git rev-parse --short "${GITHUB_SHA}") FILENAME=btop-${TOOLCHAIN/linux-musl/}-$GIT_HASH mv bin/btop bin/$FILENAME diff --git a/.github/workflows/continuous-build-macos.yml b/.github/workflows/continuous-build-macos.yml index c49e70f5..16d80bc1 100644 --- a/.github/workflows/continuous-build-macos.yml +++ b/.github/workflows/continuous-build-macos.yml @@ -56,10 +56,13 @@ jobs: brew install --force --overwrite gcc@15 lowdown - name: Compile + env: + RUNNER: "${{ matrix.os.runner }}" + VERSION: "${{ matrix.os.version }}" run: | make CXX=$(brew --prefix)/bin/g++-15 GIT_HASH=$(git rev-parse --short "$GITHUB_SHA") - mv bin/btop bin/btop-arm64-${{ matrix.os.runner }}-${{ matrix.os.version }}-$GIT_HASH + mv bin/btop bin/btop-arm64-${RUNNER}-${VERSION}-$GIT_HASH ls -alh bin - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0