Skip to content

Commit c956de0

Browse files
lgritzlgritz
committed
ci: For security, replace some workflow substitutions with safer env substitutions
Signed-off-by: Larry Gritz <lg@larrygritz.com>
1 parent 583ace5 commit c956de0

File tree

1 file changed

+7
-5
lines changed

1 file changed

+7
-5
lines changed

.github/workflows/build-steps.yml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,8 @@ jobs:
122122
# against and testing an optional dependency, but in fact are not.
123123
OpenImageIO_REQUIRED_DEPS: ${{inputs.required_deps}}
124124
OpenImageIO_OPTIONAL_DEPS: ${{inputs.optional_deps}}
125+
SETENVS: ${{inputs.setenvs}}
126+
DEPCMDS: ${{inputs.depcmds}}
125127

126128
steps:
127129
- name: install nodejs20glibc2.17
@@ -133,7 +135,7 @@ jobs:
133135
- name: Build setup
134136
shell: bash
135137
run: |
136-
${{inputs.setenvs}}
138+
eval "$SETENVS"
137139
src/build-scripts/ci-startup.bash
138140
- name: Prepare ccache timestamp
139141
id: ccache_cache_keys
@@ -150,7 +152,7 @@ jobs:
150152
- name: Dependencies
151153
shell: bash
152154
run: |
153-
${{inputs.depcmds}}
155+
eval "$DEPCMDS"
154156
if [[ "$RUNNER_OS" == "Linux" ]]; then
155157
src/build-scripts/gh-installdeps.bash
156158
elif [[ "$RUNNER_OS" == "macOS" ]]; then
@@ -208,10 +210,10 @@ jobs:
208210
run: |
209211
which sonar-scanner
210212
ls -l /__w/OpenImageIO/OpenImageIO/bw_output
211-
echo "BUILD_OUTPUT_DIR is " "${{ env.BUILD_WRAPPER_OUT_DIR }}"
213+
echo "BUILD_OUTPUT_DIR is ${BUILD_WRAPPER_OUT_DIR}"
212214
find . -name "*.gcov" -print
213-
# sonar-scanner --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json"
214-
time sonar-scanner --define sonar.host.url="${{ env.SONAR_SERVER_URL }}" --define sonar.cfamily.compile-commands="$BUILD_WRAPPER_OUT_DIR/compile_commands.json" --define sonar.cfamily.gcov.reportsPath="_coverage" --define sonar.cfamily.threads="$PARALLEL"
215+
# sonar-scanner --define sonar.cfamily.compile-commands="${BUILD_WRAPPER_OUT_DIR}/compile_commands.json"
216+
time sonar-scanner --define sonar.host.url="${SONAR_SERVER_URL}" --define sonar.cfamily.compile-commands="$BUILD_WRAPPER_OUT_DIR/compile_commands.json" --define sonar.cfamily.gcov.reportsPath="_coverage" --define sonar.cfamily.threads="$PARALLEL"
215217
# Consult https://docs.sonarcloud.io/advanced-setup/ci-based-analysis/sonarscanner-cli/ for more information and options
216218
- name: Check ABI
217219
if: inputs.abi_check != ''

0 commit comments

Comments
 (0)