.github/actions/.gitignore

.github/actions/add-issue-label/action.yml

-Original file line number
+Diff line change
@@ -0,0 +1,18 @@
+    name: 'Add Issue Label'
+    description: 'Safely add a label to a GitHub issue'
+    inputs:
+      github-token:
+        description: 'GitHub token for API access'
+        required: true
+      repository:
+        description: 'Repository in format owner/repo'
+        required: true
+      issue-number:
+        description: 'Issue number to add label to'
+        required: true
+      label:
+        description: 'Label to add'
+        required: true
+    runs:
+      using: 'node16'
+      main: 'index.js'

.github/actions/add-issue-label/index.js

-Original file line number
+Diff line change
@@ -0,0 +1,36 @@
+    const core = require('@actions/core');
+    const github = require('@actions/github');
+    /**
+     * Safely add a label to a GitHub issue
+     * This approach uses the GitHub API directly, avoiding all shell injection risks
+     */
+    async function addIssueLabel() {
+      try {
+        const token = core.getInput('github-token');
+        const repository = core.getInput('repository');
+        const issueNumber = parseInt(core.getInput('issue-number'));
+        const label = core.getInput('label');
+        // Initialize GitHub API client
+        const octokit = github.getOctokit(token);
+        // Parse repository owner/name
+        const [owner, repo] = repository.split('/');
+        // Add label using GitHub API - completely safe from injection
+        const response = await octokit.rest.issues.addLabels({
+          owner,
+          repo,
+          issue_number: issueNumber,
+          labels: [label]
+        });
+        console.log(`Label "${label}" added successfully to issue #${issueNumber}`);
+      } catch (error) {
+        core.setFailed(`Failed to add label: ${error.message}`);
+      }
+    }
+    addIssueLabel();

.github/actions/add-issue-label/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

.github/actions/add-issue-label/package.json

-Original file line number
+Diff line change
@@ -0,0 +1,10 @@
+    {
+      "name": "add-issue-label",
+      "version": "1.0.0",
+      "description": "GitHub Action to safely add issue labels",
+      "main": "index.js",
+      "dependencies": {
+        "@actions/core": "^1.10.0",
+        "@actions/github": "^5.1.1"
+      }
+    }

.github/actions/post-issue-comment/action.yml

-Original file line number
+Diff line change
@@ -0,0 +1,18 @@
+    name: 'Post Issue Comment'
+    description: 'Safely post a comment to a GitHub issue'
+    inputs:
+      github-token:
+        description: 'GitHub token for API access'
+        required: true
+      repository:
+        description: 'Repository in format owner/repo'
+        required: true
+      issue-number:
+        description: 'Issue number to comment on'
+        required: true
+      json-file-path:
+        description: 'Path to the JSON file to include in comment'
+        required: true
+    runs:
+      using: 'node16'
+      main: 'index.js'

Fix GitHub workflow security vulnerabilities - comprehensive defense eliminating all command injection vectors #118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft

Copilot wants to merge 7 commits into main from copilot/fix-117

-Original file line number
+Diff line change
@@ -0,0 +1,18 @@
+    name: 'Add Issue Label'
+    description: 'Safely add a label to a GitHub issue'
+    inputs:
+      github-token:
+        description: 'GitHub token for API access'
+        required: true
+      repository:
+        description: 'Repository in format owner/repo'
+        required: true
+      issue-number:
+        description: 'Issue number to add label to'
+        required: true
+      label:
+        description: 'Label to add'
+        required: true
+    runs:
+      using: 'node16'
+      main: 'index.js'

-Original file line number
+Diff line change
@@ -0,0 +1,36 @@
+    const core = require('@actions/core');
+    const github = require('@actions/github');
+    /**
+     * Safely add a label to a GitHub issue
+     * This approach uses the GitHub API directly, avoiding all shell injection risks
+     */
+    async function addIssueLabel() {
+      try {
+        const token = core.getInput('github-token');
+        const repository = core.getInput('repository');
+        const issueNumber = parseInt(core.getInput('issue-number'));
+        const label = core.getInput('label');
+        // Initialize GitHub API client
+        const octokit = github.getOctokit(token);
+        // Parse repository owner/name
+        const [owner, repo] = repository.split('/');
+        // Add label using GitHub API - completely safe from injection
+        const response = await octokit.rest.issues.addLabels({
+          owner,
+          repo,
+          issue_number: issueNumber,
+          labels: [label]
+        });
+        console.log(`Label "${label}" added successfully to issue #${issueNumber}`);
+      } catch (error) {
+        core.setFailed(`Failed to add label: ${error.message}`);
+      }
+    }
+    addIssueLabel();

-Original file line number
+Diff line change
@@ -0,0 +1,10 @@
+    {
+      "name": "add-issue-label",
+      "version": "1.0.0",
+      "description": "GitHub Action to safely add issue labels",
+      "main": "index.js",
+      "dependencies": {
+        "@actions/core": "^1.10.0",
+        "@actions/github": "^5.1.1"
+      }
+    }

-Original file line number
+Diff line change
@@ -0,0 +1,18 @@
+    name: 'Post Issue Comment'
+    description: 'Safely post a comment to a GitHub issue'
+    inputs:
+      github-token:
+        description: 'GitHub token for API access'
+        required: true
+      repository:
+        description: 'Repository in format owner/repo'
+        required: true
+      issue-number:
+        description: 'Issue number to comment on'
+        required: true
+      json-file-path:
+        description: 'Path to the JSON file to include in comment'
+        required: true
+    runs:
+      using: 'node16'
+      main: 'index.js'

Provide feedback