search

customerio / customerio-android

This is the official Customer.io SDK for Android.
MIT License
11 stars 9 forks source link

ci: use intermediate env var in run #347

Closed youngnicks-cio closed 1 month ago

youngnicks-cio commented 1 month ago

SEC-36

Using github variables in a GHA run step introduces a run shell injection vulnerability.

Complete each step to get your pull request merged in. Learn more about the workflow this project uses.

github-actions[bot] commented 1 month ago
# Sample app builds 📱 Below you will find the list of the latest versions of the sample apps. It's recommended to always download the latest builds of the sample apps to accurately test the pull request. --- * java_layout: `sec-36-gha-run-shell-injection-vulnerability (1716562239)` * kotlin_compose: `sec-36-gha-run-shell-injection-vulnerability (1716562236)`
codecov[bot] commented 1 month ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 54.32%. Comparing base (c8cbb12) to head (d306cfb).

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #347 +/- ## ============================================ - Coverage 54.38% 54.32% -0.06% Complexity 282 282 ============================================ Files 109 109 Lines 2534 2511 -23 Branches 355 355 ============================================ - Hits 1378 1364 -14 + Misses 1032 1025 -7 + Partials 124 122 -2 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

github-actions[bot] commented 1 month ago

📏 SDK Binary Size Comparison Report

No changes detected in SDK binary size ✅

github-actions[bot] commented 1 month ago

Build available to test Version: sec-36-gha-run-shell-injection-vulnerability-SNAPSHOT Repository: https://s01.oss.sonatype.org/content/repositories/snapshots/

youngnicks-cio commented 1 month ago

I fixed version name by moving it to run.