diff --git a/.github/workflows/gif_check.yml b/.github/workflows/gif_check.yml index 6d7e96ca29e8b..0d6e507d77dc2 100644 --- a/.github/workflows/gif_check.yml +++ b/.github/workflows/gif_check.yml @@ -24,13 +24,30 @@ jobs: fetch-depth: 0 persist-credentials: false + # Branch Name Validation to be run prior to workflow + - name: Validate branch name and set output + id: validate + run: | + BRANCH="${{ github.head_ref }}" + # Allow: letters, numbers, dots, hyphens, underscores, and forward slash + # This supports the required / format like "user.name/test-this-new-feature" + if [[ "$BRANCH" =~ ^[a-zA-Z0-9._/-]+$ ]] && [[ ${#BRANCH} -le 200 ]]; then + echo "valid=true" >> $GITHUB_OUTPUT + echo "branch=$BRANCH" >> $GITHUB_OUTPUT + else + echo "valid=false" >> $GITHUB_OUTPUT + echo "::error::Invalid branch name detected. Branch names must only contain letters, numbers, dots, hyphens, underscores, and forward slashes (max 200 chars)" + fi + - name: Find changed files id: changed_files + if: steps.validate.outputs.valid == 'true' uses: tj-actions/changed-files@9200e69727eb73eb060652b19946b8a2fdfb654b # v45.0.8 - name: Look for gifs + if: steps.validate.outputs.valid == 'true' env: - branch: ${{ github.head_ref }} + branch: ${{ steps.validate.outputs.branch }} ALL_CHANGED_FILES: ${{ steps.changed_files.outputs.all_changed_files }} id: comment_body run: | diff --git a/.github/workflows/preview_link.yml b/.github/workflows/preview_link.yml index 406ea02087a22..b032bad7ef9d8 100644 --- a/.github/workflows/preview_link.yml +++ b/.github/workflows/preview_link.yml @@ -30,15 +30,32 @@ jobs: python-version: '3.10' - run: pip install Mako docutils + # Branch Name Validation to be run prior to workflow + - name: Validate branch name and set output + id: validate + run: | + BRANCH="${{ github.head_ref }}" + # Allow: letters, numbers, dots, hyphens, underscores, and forward slash + # This supports the required / format like "user.name/test-this-new-feature" + if [[ "$BRANCH" =~ ^[a-zA-Z0-9._/-]+$ ]] && [[ ${#BRANCH} -le 200 ]] && [[ "$BRANCH" == *"/"* ]]; then + echo "valid=true" >> $GITHUB_OUTPUT + echo "branch=$BRANCH" >> $GITHUB_OUTPUT + else + echo "valid=false" >> $GITHUB_OUTPUT + echo "::error::Invalid branch name detected. Branch names must contain a forward slash and only contain letters, numbers, dots, hyphens, underscores, and forward slashes (max 200 chars)" + fi + - name: Find changed files id: changed_files + if: steps.validate.outputs.valid == 'true' uses: tj-actions/changed-files@9200e69727eb73eb060652b19946b8a2fdfb654b # v45.0.8 with: include_all_old_new_renamed_files: true - name: Generate links + if: steps.validate.outputs.valid == 'true' env: - branch: ${{ github.head_ref }} + branch: ${{ steps.validate.outputs.branch }} DELETED_FILES: ${{ steps.changed_files.outputs.deleted_files }} RENAMED_FILES: ${{ steps.changed_files.outputs.renamed_files }} MODIFIED_FILES: ${{ steps.changed_files.outputs.modified_files }} @@ -51,12 +68,14 @@ jobs: --added="${ADDED_FILES}" - name: Render template + if: steps.validate.outputs.valid == 'true' id: template uses: chuhlomin/render-template@a473db625a96c98e519d188812dc22bcaf54ffba # v1.9.0 with: template: .github/preview-links-template.md - name: Find existing comment + if: steps.validate.outputs.valid == 'true' uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0 id: find_comment with: @@ -65,6 +84,7 @@ jobs: body-includes: "Preview links (" - name: Post comment + if: steps.validate.outputs.valid == 'true' uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: issue-number: ${{ github.event.pull_request.number }} diff --git a/.github/workflows/synthetics.yml b/.github/workflows/synthetics.yml index a87657bd8cf62..609051cf90b8b 100644 --- a/.github/workflows/synthetics.yml +++ b/.github/workflows/synthetics.yml @@ -24,15 +24,28 @@ jobs: sparse-checkout: | . - - name: Extract branch name - shell: bash - run: echo "branch=$(echo ${{ github.event.pull_request.head.ref }})" >>$GITHUB_OUTPUT - id: extract_branch + # Branch Name Validation to be run prior to workflow + - name: Validate branch name and set output + id: validate + run: | + BRANCH="${{ github.event.pull_request.head.ref }}" + # Allow: letters, numbers, dots, hyphens, underscores, and forward slash + # This supports the required / format like "user.name/test-this-new-feature" + if [[ "$BRANCH" =~ ^[a-zA-Z0-9._/-]+$ ]] && [[ ${#BRANCH} -le 200 ]]; then + echo "valid=true" >> $GITHUB_OUTPUT + echo "branch=$BRANCH" >> $GITHUB_OUTPUT + else + echo "valid=false" >> $GITHUB_OUTPUT + echo "::error::Invalid branch name detected. Branch names must only contain letters, numbers, dots, hyphens, underscores, and forward slashes (max 200 chars)" + fi - name: Check preview status id: check-status + if: steps.validate.outputs.valid == 'true' run: | - URL="https://docs-staging.datadoghq.com/${{steps.extract_branch.outputs.branch}}" + # Use the validated branch name from previous step + BRANCH="${{ steps.validate.outputs.branch }}" + URL="https://docs-staging.datadoghq.com/${BRANCH}" SUCCESS_CODES=("200" "302" "304") for i in {1..30} do @@ -52,9 +65,10 @@ jobs: done - name: Run Datadog Synthetic tests + if: steps.validate.outputs.valid == 'true' uses: DataDog/synthetics-ci-github-action@d77d9c9a6228ff9b17a4e0056fb94d8c8010d79c # v1.3.0 env: - CI_COMMIT_REF_NAME: ${{steps.extract_branch.outputs.branch}} + CI_COMMIT_REF_NAME: ${{ steps.validate.outputs.branch }} with: api_key: ${{secrets.DD_API_KEY}} app_key: ${{secrets.DD_APP_KEY}}