Avoid script interpolation

- Use environment variables in inline scripts instead of using interpolation to avoid script injection. - Tighten-up some of the default GitHub token permissions.
App-vNext · martincostello · Feb 15, 2025 · Feb 15, 2025 · Feb 15, 2025 · Feb 15, 2025
commit cf53d0bd163ec8579f5cb5b4bb83cb5e4e5e9c8c
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -190,19 +190,22 @@
       env:
         AZURE_CLIENT_ID: ${{ secrets.SIGN_CLI_APPLICATION_ID }}
         AZURE_CLIENT_SECRET: ${{ secrets.SIGN_CLI_SECRET }}
+        AZURE_KEY_VAULT_CERTIFICATE: ${{ secrets.SIGN_CLI_CERT_NAME }}
+        AZURE_KEY_VAULT_URL: ${{ secrets.SIGN_CLI_VAULT_URI }}
         AZURE_TENANT_ID: ${{ secrets.SIGN_CLI_TENANT_ID }}
+        VERBOSITY: ${{ runner.debug == '1' && 'Debug' || 'Warning' }}
       run: |
         ./sign code azure-key-vault `
           **/*.nupkg `
-          --base-directory "${{ github.workspace }}/packages" `
-          --file-list "${{ github.workspace }}/signing-config/filelist.txt" `
+          --base-directory "${env:GITHUB_WORKSPACE}/packages" `
+          --file-list "${env:GITHUB_WORKSPACE}/signing-config/filelist.txt" `
           --application-name "Polly" `
           --publisher-name "App vNext" `
           --description "Polly" `
-          --description-url "https://github.com/${{ github.repository }}" `
-          --azure-key-vault-certificate "${{ secrets.SIGN_CLI_CERT_NAME }}" `
-          --azure-key-vault-url "${{ secrets.SIGN_CLI_VAULT_URI }}" `
-          --verbosity "${{ runner.debug == '1' && 'Debug' || 'Warning' }}"
+          --description-url "https://github.com/${env:GITHUB_REPOSITORY}" `
+          --azure-key-vault-certificate ${env:AZURE_KEY_VAULT_CERTIFICATE} `
+          --azure-key-vault-url ${env:AZURE_KEY_VAULT_URL} `
+          --verbosity "${env:VERBOSITY}"
         if ($LASTEXITCODE -ne 0) {
           Write-Output "::error::Failed to sign NuGet packages"
           exit 1
@@ -348,7 +351,9 @@
         dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}
 
     - name: Push signed NuGet packages to NuGet.org
-      run: dotnet nuget push "*.nupkg" --api-key ${{ secrets.NUGET_TOKEN }} --skip-duplicate --source https://api.nuget.org/v3/index.json
+      env:
+        NUGET_TOKEN: ${{ secrets.NUGET_TOKEN }}
+      run: dotnet nuget push "*.nupkg" --api-key ${env:NUGET_TOKEN} --skip-duplicate --source https://api.nuget.org/v3/index.json
 
     - name: Generate GitHub application token
       id: generate-application-token

diff --git a/.github/workflows/dependabot-approve.yml b/.github/workflows/dependabot-approve.yml
@@ -2,14 +2,16 @@ name: dependabot-approve
 
 on: pull_request_target
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   review:
     runs-on: ubuntu-latest
     if: github.event.repository.fork == false && github.event.pull_request.user.login == 'dependabot[bot]'
 
+    permissions:
+      contents: read
+
     steps:
 
       - name: Get dependabot metadata
@@ -22,7 +24,7 @@ jobs:
         with:
           application_id: ${{ secrets.POLLY_REVIEWER_BOT_APP_ID }}
           application_private_key: ${{ secrets.POLLY_REVIEWER_BOT_KEY }}
-          permissions: "contents:write, pull_requests:write, workflows:write"
+          permissions: 'contents:write, pull_requests:write, workflows:write'
 
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -7,14 +7,16 @@ on:
       - release/*
       - dotnet-vnext
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
     if: github.event.repository.fork == false
 
+    permissions:
+      contents: read
+
     steps:
 
       - name: Checkout code

diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
@@ -12,15 +12,17 @@ on:
       - dotnet-vnext
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
 
   build-docs:
     runs-on: ubuntu-latest
     timeout-minutes: 20
 
+    permissions:
+      contents: read
+
     steps:
 
     - name: Checkout code

diff --git a/.github/workflows/on-push-do-docs.yml b/.github/workflows/on-push-do-docs.yml
@@ -62,7 +62,7 @@ jobs:
 
           git config user.email $GitEmail | Out-Null
           git config user.name $GitUser | Out-Null
-          git remote set-url "${{ github.server_url }}/${{ github.repository }}.git" | Out-Null
+          git remote set-url "${env:GITHUB_SERVER_URL}/${env:GITHUB_REPOSITORY}.git" | Out-Null
           git fetch origin | Out-Null
           git rev-parse --verify --quiet ("remotes/origin/" + $BranchName) | Out-Null
 
@@ -80,17 +80,18 @@ jobs:
       - name: Create pull request
         if: steps.update-docs.outputs.updated-docs == 'true'
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        env:
+          BRANCH_NAME: ${{ steps.update-docs.outputs.branchName }}
         with:
           github-token: ${{ steps.generate-application-token.outputs.token }}
           script: |
             const { repo, owner } = context.repo;
-            const workflowUrl = `${{ github.server_url }}/${owner}/${repo}/actions/runs/${process.env.GITHUB_RUN_ID}`;
-            const branchName = "${{ steps.update-docs.outputs.branchName }}";
-            const result = await github.rest.pulls.create({
+            const workflowUrl = `${process.env.GITHUB_SERVER_URL}/${owner}/${repo}/actions/runs/${process.env.GITHUB_RUN_ID}`;
+            await github.rest.pulls.create({
               title: 'Update the code-snippets in the documentation',
               owner,
               repo,
-              head: branchName,
+              head: process.env.BRANCH_NAME,
               base: 'main',
               body: [
                 'This PR updates the code-snippets in the documentation.',

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -5,9 +5,7 @@ on:
     - cron: '30 1 * * *'
   workflow_dispatch:
 
-permissions:
-  issues: read
-  pull-requests: read
+permissions: {}
 
 jobs:
   stale:

diff --git a/.github/workflows/update-dotnet-sdk.yml b/.github/workflows/update-dotnet-sdk.yml
@@ -5,12 +5,13 @@ on:
     - cron:  '0 12 * * WED'
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   update-dotnet-sdk:
     uses: martincostello/update-dotnet-sdk/.github/workflows/update-dotnet-sdk.yml@758e92b362c4164925583874878423a794cce239 # v3.4.1
+    permissions:
+      contents: read
     with:
       labels: "dependencies,.NET"
       update-nuget-packages: false
@@ -32,4 +33,5 @@ jobs:
     - name: Add security label
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: gh pr edit "${{ needs.update-dotnet-sdk.outputs.pull-request-html-url }}" --add-label security
+        PR_URL: ${{ needs.update-dotnet-sdk.outputs.pull-request-html-url }}
+      run: gh pr edit "${PR_URL}" --add-label security
diff --git a/.github/workflows/updater-approve.yml b/.github/workflows/updater-approve.yml
@@ -7,8 +7,7 @@ on:
       - release/*
       - dotnet-vnext
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   review:
@@ -19,6 +18,9 @@ jobs:
       REVIEWER_LOGIN: "polly-reviewer-bot[bot]"
       UPDATER_LOGIN: "polly-updater-bot[bot]"
 
+    permissions:
+      contents: read
+
     steps:
 
     - name: Generate GitHub application token
@@ -27,7 +29,7 @@ jobs:
       with:
         application_id: ${{ secrets.POLLY_REVIEWER_BOT_APP_ID }}
         application_private_key: ${{ secrets.POLLY_REVIEWER_BOT_KEY }}
-        permissions: "contents:write, pull_requests:write"
+        permissions: 'contents:write, pull_requests:write'
 
     - name: Install powershell-yaml
       shell: pwsh
@@ -38,10 +40,11 @@ jobs:
       env:
         INCLUDE_NUGET_PACKAGES: "Microsoft.AspNetCore.,Microsoft.EntityFrameworkCore.,Microsoft.Extensions.,System.Text.Json"
         GH_TOKEN: ${{ steps.generate-application-token.outputs.token }}
+        PR_NUMBER: ${{ github.event.pull_request.number }}
       shell: pwsh
       run: |
         $commits = gh api `
-          /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits `
+          /repos/${env:GITHUB_REPOSITORY}/pulls/${env:PR_NUMBER}/commits `
           --jq '.[] | { author: .author.login, message: .commit.message }' | ConvertFrom-Json
 
         $expectedUser = ${env:UPDATER_LOGIN}
@@ -107,10 +110,11 @@ jobs:
       if: steps.check-dependencies.outputs.is-trusted-update == 'true'
       env:
         GH_TOKEN: ${{ steps.generate-application-token.outputs.token }}
+        PR_NUMBER: ${{ github.event.pull_request.number }}
         PR_URL: ${{ github.event.pull_request.html_url }}
       shell: pwsh
       run: |
-        $approvals = gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews | ConvertFrom-Json
+        $approvals = gh api /repos/${env:GITHUB_REPOSITORY}/pulls/${env:PR_NUMBER}/reviews | ConvertFrom-Json
         $approvals = $approvals | Where-Object { $_.user.login -eq ${env:REVIEWER_LOGIN} }
         $approvals = $approvals | Where-Object { $_.state -eq "APPROVED" }
 
@@ -127,10 +131,11 @@ jobs:
       if: steps.check-dependencies.outputs.is-trusted-update != 'true'
       env:
         GH_TOKEN: ${{ steps.generate-application-token.outputs.token }}
+        PR_NUMBER: ${{ github.event.pull_request.number }}
         PR_URL: ${{ github.event.pull_request.html_url }}
       shell: pwsh
       run: |
-        $approvals = gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews | ConvertFrom-Json
+        $approvals = gh api /repos/${env:GITHUB_REPOSITORY}/pulls/${env:PR_NUMBER}/reviews | ConvertFrom-Json
         $approvals = $approvals | Where-Object { $_.user.login -eq ${env:REVIEWER_LOGIN} }
         $approvals = $approvals | Where-Object { $_.state -eq "APPROVED" }
 
@@ -140,7 +145,7 @@ jobs:
           foreach ($approval in $approvals) {
             gh api `
               --method PUT `
-              /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews/$($approval.id)/dismissals `
+              /repos/${env:GITHUB_REPOSITORY}/pulls/${env:PR_NUMBER}/reviews/$($approval.id)/dismissals `
               -f message='Cannot approve as other changes have been introduced.' `
               -f event='DISMISS'
           }