Use GITHUB_OUTPUTS, not GITHUB_ENV for security reasons

huggingface / doc-builder

The package used to build the documentation of our Hugging Face repos

Apache License 2.0

92 stars 35 forks source link

Use GITHUB_OUTPUTS, not GITHUB_ENV for security reasons #461

Closed mishig25 closed 1 year ago

mishig25 commented 1 year ago

Use echo >> GITHUB_OUTPUT rather than echo >> GITHUB_ENV because the lines below were previously security vulnerability with echo >> GITHUB_ENV (see hackerrank one)

https://github.com/huggingface/doc-builder/blob/c33e00834df8e85b18cdefccd56e26acb53a5be0/.github/workflows/upload_pr_documentation.yml#L75-L81

Unlikes GITHUB_ENV, GITHUB_OUTPUT gets sanitized

mishig25 commented 1 year ago

@coyotte508 wdyt https://github.com/huggingface/doc-builder/pull/461/commits/621d1842d666887e995356fc30fccf897f170b49 ?

mishig25 commented 1 year ago

tested and working at https://github.com/huggingface/diffusers/pull/6018#issuecomment-1836126967