From 96c8196a624c57939f708dffa0974f68f9b4cb84 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Tue, 22 Oct 2024 08:38:40 -0500 Subject: [PATCH] fix: use deploy environment for build job and replace ref with sha to prevent TOCTOU based on feedback from security folks Signed-off-by: jmeridth Co-authored-by: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> --- .github/workflows/jekyll-preview.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/jekyll-preview.yml b/.github/workflows/jekyll-preview.yml index e9173b89f82..bf756705105 100644 --- a/.github/workflows/jekyll-preview.yml +++ b/.github/workflows/jekyll-preview.yml @@ -17,11 +17,13 @@ permissions: # Allow only one concurrent deployment per PR, skipping runs queued between the run in-progress and latest queued. # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: - group: 'pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + group: "pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" cancel-in-progress: false jobs: # Build job build: + environment: + name: "Pages Preview" # Limit permissions of the GITHUB_TOKEN for untrusted code permissions: contents: read @@ -31,7 +33,7 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 with: # For PRs make sure to checkout the PR branch - ref: ${{ github.event.pull_request.head.ref }} + ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} - name: Setup Pages uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 @@ -46,7 +48,7 @@ jobs: # Deployment job deploy: environment: - name: 'Pages Preview' + name: "Pages Preview" url: ${{ steps.deployment.outputs.page_url }} # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages permissions: @@ -60,4 +62,4 @@ jobs: id: deployment uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 with: - preview: 'true' + preview: "true"