Skip to content

Fix template injection in e2e-versions.yml (zizmor alert #122)#1120

Merged
brunoborges merged 2 commits into
mainfrom
copilot/fix-code-scanning-alert-122
Jul 14, 2026
Merged

Fix template injection in e2e-versions.yml (zizmor alert #122)#1120
brunoborges merged 2 commits into
mainfrom
copilot/fix-code-scanning-alert-122

Conversation

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Resolves a zizmor/template-injection code scanning alert by removing direct GitHub expression expansion inside a run: bash script, which could allow shell injection if output values contain metacharacters.

Changes:

  • In the "Verify Java 21 outputs are set" step, moved ${{ steps.setup-java-21.outputs.path }} and ${{ steps.setup-java-21.outputs.version }} from inline script expansion into env: variables (JAVA_21_PATH, JAVA_21_VERSION), consistent with the safe pattern used throughout the rest of the workflow.
# Before (unsafe)
run: |
  if [ -z "${{ steps.setup-java-21.outputs.path }}" ]; then ...

# After (safe)
env:
  JAVA_21_PATH: ${{ steps.setup-java-21.outputs.path }}
  JAVA_21_VERSION: ${{ steps.setup-java-21.outputs.version }}
run: |
  if [ -z "$JAVA_21_PATH" ]; then ...

Related issue:
N/A — code scanning alert #122

Check list:

  • Ran npm run check locally (format, lint, build, test) and all checks pass.
  • Mark if documentation changes are required.
  • Mark if tests were added or updated to cover the changes.

Copilot AI changed the title [WIP] Fix code scanning alert #122 Fix template injection in e2e-versions.yml (zizmor alert #122) Jul 14, 2026
Copilot AI requested a review from brunoborges July 14, 2026 19:39
@brunoborges brunoborges marked this pull request as ready for review July 14, 2026 19:55
@brunoborges brunoborges requested a review from a team as a code owner July 14, 2026 19:55
Copilot AI review requested due to automatic review settings July 14, 2026 19:55
@brunoborges brunoborges merged commit cd57b95 into main Jul 14, 2026
@brunoborges brunoborges deleted the copilot/fix-code-scanning-alert-122 branch July 14, 2026 19:55
Copilot stopped reviewing on behalf of brunoborges due to an error July 14, 2026 19:55

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the e2e GitHub Actions workflow to verify Java 21 setup outputs using step-scoped environment variables, improving shell interpolation consistency.

Changes:

  • Pass setup-java-21 outputs into the verification step via env
  • Update verification script to reference $JAVA_21_PATH / $JAVA_21_VERSION instead of inline ${{ ... }} expressions
Show a summary per file
File Description
.github/workflows/e2e-versions.yml Refactors the Java 21 output verification step to use environment variables for easier/safer shell usage

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0
  • Review effort level: Low

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants