Description
Lines 94 and 240 of .github/workflows/oci-build.yaml use ${{ github.event_name }} directly in bash run: blocks via string interpolation rather than routing through an environment variable.
While github.event_name is constrained to a fixed set of values by GitHub (e.g. pull_request, push, workflow_call) and is not attacker-controlled, this is inconsistent with the pattern established in PR c6b5563 which moved other inputs to env vars to prevent script injection.
Suggested Fix
Route github.event_name through an environment variable for consistency:
env:
EVENT_NAME: \${{ github.event_name }}
run: |
if [[ "\$EVENT_NAME" == "pull_request" ]]; then
...
Context
Identified by Devin Review in PR #2. Not exploitable in practice but worth addressing for defense-in-depth consistency.
Description
Lines 94 and 240 of
.github/workflows/oci-build.yamluse ${{ github.event_name }} directly in bashrun:blocks via string interpolation rather than routing through an environment variable.While
github.event_nameis constrained to a fixed set of values by GitHub (e.g.pull_request,push,workflow_call) and is not attacker-controlled, this is inconsistent with the pattern established in PR c6b5563 which moved other inputs to env vars to prevent script injection.Suggested Fix
Route
github.event_namethrough an environment variable for consistency:Context
Identified by Devin Review in PR #2. Not exploitable in practice but worth addressing for defense-in-depth consistency.