Reference untrusted git branch names via environment variables. (firebase#1516)

jonsimantov · web-flow · commit 111c1a2cf712 · 2024-01-13T07:32:24.000Z
* Apply fix using environment variables.
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -111,16 +111,19 @@ jobs:
       - name: Check whether release notes have been updated
         # Skip this if the PR has the skipReleaseNotes label or if it's a merge to other than main.
         if: ${{!contains(github.event.pull_request.labels.*.name, env.skipReleaseNotesLabel) && (github.event.pull_request.base.ref == 'main')}}
+        env:
+          HEAD_REF: ${{github.event.pull_request.head.ref}}
+          BASE_REF: ${{github.event.pull_request.base.ref}}
         run: |
           set -e
           # Filename to check.
           README_FILE=release_build_files/readme.md
           # Determine the github merge base - same logic as integration_tests.yml
           # "git merge-base main branch_name" will give the common ancestor of both branches.
-          MERGE_BASE=$(git merge-base origin/${{github.event.pull_request.head.ref}} origin/${{github.event.pull_request.base.ref}} || true)
+          MERGE_BASE=$(git merge-base "origin/${HEAD_REF}" "origin/${BASE_REF}" || true)
           # If MERGE_BASE can't be determined, ignore this check, something odd is going on.
           if [[ -n "${MERGE_BASE}" ]]; then
-            DIFF_RESULT=$(git diff --name-only "origin/${{github.event.pull_request.head.ref}}..${MERGE_BASE}" -- "${README_FILE}")
+            DIFF_RESULT=$(git diff --name-only "origin/${HEAD_REF}..${MERGE_BASE}" -- "${README_FILE}")
             if [[ "${DIFF_RESULT}" != "${README_FILE}" ]]; then
               echo "::error ::Please update release notes (${README_FILE}) or add '${{env.skipReleaseNotesLabel}}' label."
               exit 1
diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml
@@ -164,6 +164,9 @@ jobs:
         shell: bash
         command: pip install -r scripts/gha/python_requirements.txt
     - id: matrix_config
+      env:
+        HEAD_REF: ${{github.event.pull_request.head.ref}}
+        BASE_REF: ${{github.event.pull_request.base.ref}}
       run: |
         if [[ "${{ steps.set_outputs.outputs.requested_tests }}" == "expanded" ]]; then
           TEST_MATRIX_PARAM=-e=1
@@ -174,12 +177,12 @@ jobs:
         elif [[ "${{ steps.set_outputs.outputs.requested_tests }}" == "auto" ]]; then
           # auto-diff only apply when running in a PR.
           # diff against the PR's base. "git merge-base main branch_name" will give the common ancestor of both branches.
-          MERGE_BASE=$(git merge-base origin/${{github.event.pull_request.head.ref}} origin/${{github.event.pull_request.base.ref}} || true)
+          MERGE_BASE=$(git merge-base "origin/${HEAD_REF}" "origin/${BASE_REF}" || true)
           # If origin/<branch> is no longer valid, then just run all tests.
           if [[ -n "${MERGE_BASE}" ]]; then
-            echo "::warning ::Auto-diff origin/${{github.event.pull_request.head.ref}}..${MERGE_BASE}"
-            git diff --name-only origin/${{github.event.pull_request.head.ref}}..${MERGE_BASE}
-            TEST_MATRIX_PARAM="--auto_diff origin/${{github.event.pull_request.head.ref}}..${MERGE_BASE}"
+            echo '::warning ::Auto-diff origin/${HEAD_REF}..${MERGE_BASE}"
+            git diff --name-only "origin/${HEAD_REF}..${MERGE_BASE}"
+            TEST_MATRIX_PARAM="--auto_diff origin/${HEAD_REF}..${MERGE_BASE}"
           fi
         fi
 
@@ -188,12 +191,13 @@ jobs:
         if [[ "${{ github.event.schedule }}" == "0 9 * * *" ]]; then
           # at 1am PST/2am PDT. Running integration tests and generate test report for all testapps except firestore
           apis="analytics,app_check,auth,database,dynamic_links,functions,gma,installations,messaging,remote_config,storage"
+          echo "::warning ::Running main nightly tests"
         elif [[ "${{ github.event.schedule }}" == "0 10 * * *" || "${{ github.event.schedule }}" == "0 11 * * *" ]]; then
           # at 2am PST/3am PDT and 3am PST/4am PDT. Running integration tests for firestore and generate test report.
           echo "::warning ::Running Firestore nightly tests"
           apis="firestore"
         else
-          echo "::warning ::Running main nightly tests"
+          echo "::warning ::Running pull request tests"
           apis=$( python scripts/gha/print_matrix_configuration.py -c -w integration_tests -k apis -o "${{github.event.inputs.apis}}" ${TEST_MATRIX_PARAM} )
         fi
         if [[ "${{ github.event.schedule }}" == "0 11 * * *" ]]; then
