fix: github workflow vulnerable to script injection (#2663)

diogoteles08 · diegomarquezp · web-flow · commit 9151ac27638e · 2024-09-11T11:35:51.000-04:00
* inline repo's full_name as env var

Signed-off-by: Diogo Teles Sant'Anna &lt;diogoteles@google.com&gt;
Co-authored-by: Diego Marquez &lt;diegomarquezp@google.com&gt;
diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml
@@ -19,10 +19,14 @@ on:
     paths:
       - 'generation_config.yaml'
 
+
+env:
+  HEAD_REF: ${{ github.head_ref }}
+  REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }}
+  GITHUB_REPOSITORY: ${{ github.repository }}
+
 jobs:
   library_generation:
-    # skip pull requests coming from a forked repository
-    if: github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
@@ -32,11 +36,15 @@ jobs:
     - name: Generate changed libraries
       shell: bash
       run: |
-        set -x
+        set -ex
+        if [[ "${GITHUB_REPOSITORY}" != "${REPO_FULL_NAME}" ]]; then
+          echo "This PR comes from a fork. Generation will be skipped"
+          exit 0
+        fi
         [ -z "$(git config user.email)" ] && git config --global user.email "cloud-java-bot@google.com"
         [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot"
         bash .github/scripts/hermetic_library_generation.sh \
           --target_branch ${{ github.base_ref }} \
-          --current_branch ${{ github.head_ref }}
+          --current_branch $HEAD_REF
       env:
         GH_TOKEN: ${{ secrets.CLOUD_JAVA_BOT_TOKEN }}
