From c778562379d6abca1983e33cf4888cd1bfc7c6de Mon Sep 17 00:00:00 2001 From: Viz Date: Sat, 18 Apr 2026 02:04:55 -0400 Subject: [PATCH] ci(security): harden workflow steps against template-injection (#68431) zizmor v1.24.1 reports 8 template-injection findings across three workflow files where GitHub Actions ${{ ... }} expressions are interpolated directly into shell run: blocks. Applies the canonical fix pattern: hoist every dynamic value into a step-level env: block and reference it as a shell variable ("${VAR}") from the script. Files changed: - control-ui-locale-refresh.yml: move matrix.locale into env as LOCALE (1 site) - docker-release.yml: hoist steps.tags.outputs.{value,slim} plus the four needs.build-{amd64,arm64}.outputs.{digest,slim-digest} values into env for both manifest-creation steps (6 sites) - openclaw-npm-release.yml: hoist steps.publish_tarball.outputs.path into env as PUBLISH_TARBALL_PATH in the Publish step (1 site) Verified locally with zizmor --persona regular on the three files: 'No findings to report. Good job!'. pnpm format:check and pnpm lint pass. Refs #68428. Complements #66884, which covers the remaining 12 sites in openclaw-cross-os-release-checks-reusable.yml. --- .../workflows/control-ui-locale-refresh.yml | 3 ++- .github/workflows/docker-release.yml | 20 +++++++++++++------ .github/workflows/openclaw-npm-release.yml | 3 ++- 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/.github/workflows/control-ui-locale-refresh.yml b/.github/workflows/control-ui-locale-refresh.yml index b72741417c1..5d0e3979c5b 100644 --- a/.github/workflows/control-ui-locale-refresh.yml +++ b/.github/workflows/control-ui-locale-refresh.yml @@ -140,7 +140,8 @@ jobs: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} OPENCLAW_CONTROL_UI_I18N_MODEL: gpt-5.4 OPENCLAW_CONTROL_UI_I18N_THINKING: low - run: node --import tsx scripts/control-ui-i18n.ts sync --locale "${{ matrix.locale }}" --write + LOCALE: ${{ matrix.locale }} + run: node --import tsx scripts/control-ui-i18n.ts sync --locale "${LOCALE}" --write - name: Commit and push locale updates env: diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index ca9f406ab91..49b7b957a37 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -362,28 +362,36 @@ jobs: - name: Create and push default manifest shell: bash + env: + TAGS: ${{ steps.tags.outputs.value }} + AMD64_DIGEST: ${{ needs.build-amd64.outputs.digest }} + ARM64_DIGEST: ${{ needs.build-arm64.outputs.digest }} run: | set -euo pipefail - mapfile -t tags <<< "${{ steps.tags.outputs.value }}" + mapfile -t tags <<< "${TAGS}" args=() for tag in "${tags[@]}"; do [ -z "$tag" ] && continue args+=("-t" "$tag") done docker buildx imagetools create "${args[@]}" \ - ${{ needs.build-amd64.outputs.digest }} \ - ${{ needs.build-arm64.outputs.digest }} + "${AMD64_DIGEST}" \ + "${ARM64_DIGEST}" - name: Create and push slim manifest shell: bash + env: + SLIM_TAGS: ${{ steps.tags.outputs.slim }} + AMD64_SLIM_DIGEST: ${{ needs.build-amd64.outputs.slim-digest }} + ARM64_SLIM_DIGEST: ${{ needs.build-arm64.outputs.slim-digest }} run: | set -euo pipefail - mapfile -t tags <<< "${{ steps.tags.outputs.slim }}" + mapfile -t tags <<< "${SLIM_TAGS}" args=() for tag in "${tags[@]}"; do [ -z "$tag" ] && continue args+=("-t" "$tag") done docker buildx imagetools create "${args[@]}" \ - ${{ needs.build-amd64.outputs.slim-digest }} \ - ${{ needs.build-arm64.outputs.slim-digest }} + "${AMD64_SLIM_DIGEST}" \ + "${ARM64_SLIM_DIGEST}" diff --git a/.github/workflows/openclaw-npm-release.yml b/.github/workflows/openclaw-npm-release.yml index 9fde17cc361..9d173ff7cdd 100644 --- a/.github/workflows/openclaw-npm-release.yml +++ b/.github/workflows/openclaw-npm-release.yml @@ -397,9 +397,10 @@ jobs: env: OPENCLAW_PREPACK_PREPARED: "1" OPENCLAW_NPM_PUBLISH_TAG: ${{ inputs.npm_dist_tag }} + PUBLISH_TARBALL_PATH: ${{ steps.publish_tarball.outputs.path }} run: | set -euo pipefail - publish_target="${{ steps.publish_tarball.outputs.path }}" + publish_target="${PUBLISH_TARBALL_PATH}" if [[ -n "${publish_target}" ]]; then publish_target="./${publish_target}" fi