Skip to content

Harden github.event_name interpolation in oci-build.yaml #3

Description

@devin-ai-integration

Description

Lines 94 and 240 of .github/workflows/oci-build.yaml use ${{ github.event_name }} directly in bash run: blocks via string interpolation rather than routing through an environment variable.

While github.event_name is constrained to a fixed set of values by GitHub (e.g. pull_request, push, workflow_call) and is not attacker-controlled, this is inconsistent with the pattern established in PR c6b5563 which moved other inputs to env vars to prevent script injection.

Suggested Fix

Route github.event_name through an environment variable for consistency:

env:
  EVENT_NAME: \${{ github.event_name }}
run: |
  if [[ "\$EVENT_NAME" == "pull_request" ]]; then
    ...

Context

Identified by Devin Review in PR #2. Not exploitable in practice but worth addressing for defense-in-depth consistency.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions