From: David Galloway <david.galloway@ibm.com>
Date: Fri, 5 Dec 2025 16:23:27 +0000 (-0500)
Subject: .github: Harden workflow against arbritrary code injection
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=fef12f8553582f2a021b90c11eb72c1afa45d414;p=ceph-ci.git

.github: Harden workflow against arbritrary code injection

See https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf

Signed-off-by: David Galloway <david.galloway@ibm.com>
---

diff --git a/.github/workflows/diff-ceph-config.yml b/.github/workflows/diff-ceph-config.yml
index ce1c51ec408..cf3656a8c46 100644
--- a/.github/workflows/diff-ceph-config.yml
+++ b/.github/workflows/diff-ceph-config.yml
@@ -35,11 +35,11 @@ jobs:
         working-directory: ceph
         run: |
           # Fetch enough history to find a common ancestor commit (aka merge-base):
-          git fetch origin ${{ env.refspec_pr }} --depth=$(( ${{ github.event.pull_request.commits }} + 1 )) \
+          git fetch origin "${{ env.refspec_pr }}" --depth=$(( ${{ github.event.pull_request.commits }} + 1 )) \
             --no-tags --prune --no-recurse-submodules
 
           # This should get the oldest commit in the local fetched history (the commit in ceph upstream from which PR branched from):
-          COMMON_ANCESTOR=$( git rev-list --first-parent --max-parents=0 --max-count=1 ${{ env.branch_pr }} )
+          COMMON_ANCESTOR=$( git rev-list --first-parent --max-parents=0 --max-count=1 "${{ env.branch_pr }}" )
           COMMON_ANCESTOR_SHA=$( git log --format=%H "${COMMON_ANCESTOR}" )
 
           echo "COMMON_ANCESTOR_SHA=${COMMON_ANCESTOR_SHA}" >> $GITHUB_ENV
@@ -66,7 +66,7 @@ jobs:
         run:  |
           {
             echo 'DIFF_JSON<<EOF'
-            python3 ./src/script/config-diff/config_diff.py diff-branch-remote-repo --ref-branch $REF_BRANCH --ref-commit-sha $REF_COMMIT_SHA --remote-repo $REMOTE_REPO --cmp-branch $REMOTE_BRANCH --cmp-commit-sha $REMOTE_COMMIT_SHA --format=posix-diff --skip-clone
+            python3 ./src/script/config-diff/config_diff.py diff-branch-remote-repo --ref-branch "$REF_BRANCH" --ref-commit-sha "$REF_COMMIT_SHA" --remote-repo "$REMOTE_REPO" --cmp-branch "$REMOTE_BRANCH" --cmp-commit-sha "$REMOTE_COMMIT_SHA" --format=posix-diff --skip-clone
             echo EOF
           } >> "$GITHUB_OUTPUT"
         working-directory: ceph
@@ -80,4 +80,4 @@ jobs:
           script: |
             const configDiff = process.env.DIFF_JSON_OUTPUT;
             const postComment = require('./ceph/.github/workflows/scripts/config-diff-post-comment.js');
-            postComment({ github, context, core, configDiff });
\ No newline at end of file
+            postComment({ github, context, core, configDiff });