Consider conditionally/always trusting certain expressions

ericcornelissen / ades

Find dangerous uses of GitHub Actions Workflow expressions.

https://ericcornelissen.github.io/ades/

GNU General Public License v3.0

4 stars 0 forks source link

Consider conditionally/always trusting certain expressions #366

Open ericcornelissen opened 4 weeks ago

ericcornelissen commented 4 weeks ago

Relates to #145, https://github.com/ericcornelissen/ades/issues/360#issuecomment-2453371475

Summary

Admittedly, sometimes it's just easier to put an expression in directly instead of using, e.g., environment variables. And sometimes, we may be certain that an expression's value is trusted. Inspired by zizmor, we could consider improving ades by always allowing:

Certain standard expressions (e.g. ${{github.event_name}}).
${{matrix.xyz}} expressions for static matrix: values.

ericcornelissen commented 3 weeks ago

We could also consider ignoring expressions that cannot output anything other than true or false, e.g. because they use the contains function, as mentioned in the release notes for actionlint v1.7.4.