From 733415cdaaeaf631bcc5f3db562f742f1afeb3db Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Tue, 23 Jan 2024 17:55:03 +0100 Subject: [PATCH 1/2] Polish use of `changed-files`: Disable `safe_output` and use env var (#48787) Co-authored-by: Peter Bengtsson Co-authored-by: Peter Bengtsson --- .github/workflows/content-lint-markdown.yml | 11 ++++++++++- .github/workflows/test-changed-content.yml | 5 +++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/content-lint-markdown.yml b/.github/workflows/content-lint-markdown.yml index 265fe6fb75..47a1051eaa 100644 --- a/.github/workflows/content-lint-markdown.yml +++ b/.github/workflows/content-lint-markdown.yml @@ -32,10 +32,19 @@ jobs: id: changed-files uses: tj-actions/changed-files@716b1e13042866565e00e85fd4ec490e186c4a2f # v41.0.1 with: + # No need to escape the file names because we make the output of + # tj-actions/changed-files be set as an environment variable. Not + # as a direct input to the line of bash that uses it. + safe_output: false files: | content/** data/** - name: Run content linter if changed content/data files if: steps.changed-files.outputs.any_changed == 'true' - run: npm run lint-content -- --errors-only --paths ${{ steps.changed-files.outputs.all_changed_files }} + env: + # Make it an environment variable so that its value doesn't need to be escaped. + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + CHANGED_FILES: |- + ${{ steps.changed-files.outputs.all_changed_files }} + run: npm run lint-content -- --errors-only --paths "$CHANGED_FILES" diff --git a/.github/workflows/test-changed-content.yml b/.github/workflows/test-changed-content.yml index f24d769894..d6b2e551b6 100644 --- a/.github/workflows/test-changed-content.yml +++ b/.github/workflows/test-changed-content.yml @@ -47,6 +47,11 @@ jobs: id: changed-files uses: tj-actions/changed-files@716b1e13042866565e00e85fd4ec490e186c4a2f # v41.0.1 with: + # No need to escape the file names because we make the output of + # tj-actions/changed-files be set as an environment variable. Not + # as a direct input to the line of bash that uses it. + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + safe_output: false files: 'content/**' # Necessary so we can know what the old name was when a # content file was renamed. From c0a98f42816f9408c7921eda6abe67efbc5364be Mon Sep 17 00:00:00 2001 From: Sarah Edwards Date: Tue, 23 Jan 2024 08:58:59 -0800 Subject: [PATCH 2/2] Update comment based on feedback (#48807) --- src/workflows/get-preview-app-info.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/workflows/get-preview-app-info.sh b/src/workflows/get-preview-app-info.sh index 094ff29687..3624f683d0 100755 --- a/src/workflows/get-preview-app-info.sh +++ b/src/workflows/get-preview-app-info.sh @@ -14,9 +14,10 @@ PREVIEW_ENV_LOCATION="eastus" -# If a CUSTOM_GITHUB_REPOSITORY variable was set, use that. -# Otherwise, use the default GITHUB_REPOSITORY value. -# (This allows us to call this script from another repo.) +# GITHUB_REPOSITORY is a default env variable and cannot be overwritten. +# Use CUSTOM_GITHUB_REPOSITORY to specify a repo owner/name +# other than the repo owner/name where this script was called from. +# If CUSTOM_GITHUB_REPOSITORY is not specified, fall back to GITHUB_REPOSITORY. REPO_NAME_WITH_OWNER="${CUSTOM_GITHUB_REPOSITORY:-$GITHUB_REPOSITORY}" REPO_NAME="${REPO_NAME_WITH_OWNER#*\/}"