fix(ci): prevent script injection in Portainer deployment step (#170)

Move IMAGE_TAG and SENTRY_RELEASE step outputs into env: vars so they
are passed as environment variables rather than interpolated directly
into the shell command string, eliminating a potential script-injection
vector via a crafted tag or Sentry version value.
This commit is contained in:
2026-07-03 13:54:52 +02:00
committed by GitHub
parent b1f84d441f
commit 7c74574d3c
+3 -1
View File
@@ -243,5 +243,7 @@ jobs:
shell: bash shell: bash
env: env:
PORTAINER_WEBHOOK: ${{secrets.PORTAINER_WEBHOOK}} PORTAINER_WEBHOOK: ${{secrets.PORTAINER_WEBHOOK}}
IMAGE_TAG: ${{steps.meta.outputs.tag}}
SENTRY_RELEASE: ${{steps.meta.outputs.sentry_version}}
run: | run: |
curl -v -X POST "${PORTAINER_WEBHOOK}?IMAGE_TAG=${{steps.meta.outputs.tag}}&SENTRY_RELEASE=${{steps.meta.outputs.sentry_version}}" --fail-with-body curl -v -X POST "${PORTAINER_WEBHOOK}?IMAGE_TAG=${IMAGE_TAG}&SENTRY_RELEASE=${SENTRY_RELEASE}" --fail-with-body