CORE-1540 use nomad pack version 0.4.1#150
Conversation
|
This comment ensures that the correct Slack channel is notified after the team/project label See this comment for details. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| --var='environment=${{ inputs.environment }}' \ | ||
| --var='code_version=${{ inputs.code_version || steps.checkout.outputs.commit }}' \ | ||
| --var-file=${{ inputs.variables_file_name }} \ | ||
| --var-file=${{ inputs.variables_file_name }} --ignore-missing-vars \ |
Check warning
Code scanning / CodeQL
Code injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, the fix is to avoid using the GitHub expression ${{ inputs.variables_file_name }} directly inside the shell script body. Instead, assign the input to an environment variable in the env: section of the step, and then reference that variable using native shell syntax ($VAR) inside the run: block. This prevents a malicious value from being re-interpreted as part of the script, because GitHub’s expression engine substitutes only the env var value (without re-parsing), and the shell performs a simple variable expansion within a single argument.
For this specific workflow, we should update the "Validate Nomad Configurations" step. Add an environment variable, for example NOMAD_VAR_FILE, set to ${{ inputs.variables_file_name }} in the step’s env: block. Then, in the run: script, replace --var-file=${{ inputs.variables_file_name }} with --var-file="$NOMAD_VAR_FILE". This preserves the existing behavior (the same value is passed to nomad-pack), but removes the direct GitHub expression from the shell script, aligning with GitHub’s secure usage guidance. No new imports or external tools are needed; this is entirely a YAML and shell change within .github/workflows/nomad-pack.yml.
| @@ -185,6 +185,7 @@ | ||
| NOMAD_VAR_task_image: ${{ inputs.image_name }} | ||
| NOMAD_VAR_cluster: ${{ inputs.cluster }} | ||
| NOMAD_VAR_environment: ${{ inputs.environment }} | ||
| NOMAD_VAR_FILE: ${{ inputs.variables_file_name }} | ||
| run: | | ||
| nomad-pack render ${{ inputs.pack_name }} \ | ||
| --var='task_image=${{ inputs.image_name }}' \ | ||
| @@ -192,7 +193,7 @@ | ||
| --var='cluster=${{ inputs.cluster }}' \ | ||
| --var='environment=${{ inputs.environment }}' \ | ||
| --var='code_version=${{ inputs.code_version || steps.checkout.outputs.commit }}' \ | ||
| --var-file=${{ inputs.variables_file_name }} --ignore-missing-vars \ | ||
| --var-file="$NOMAD_VAR_FILE" --ignore-missing-vars \ | ||
| --name=${{ inputs.name }} --registry=remerge-pack \ | ||
| | tail -n +2 | nomad job validate - | ||
|
|
| --var='environment=${{ inputs.environment }}' \ | ||
| --var='code_version=${{ inputs.code_version || steps.checkout.outputs.commit }}' \ | ||
| --var-file=${{ inputs.variables_file_name }} \ | ||
| --var-file=${{ inputs.variables_file_name }} --ignore-missing-vars \ |
Check warning
Code scanning / CodeQL
Code injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, to fix this type of problem, any user‑controlled values used in run: scripts should not be interpolated directly using GitHub expression syntax within the script body. Instead, assign them to environment variables at the step level using ${{ ... }} and then reference them inside the script using the shell’s native variable expansion (e.g., $VAR), which avoids the templating engine rewriting and allows safe quoting and escaping.
For this concrete issue, we should stop using ${{ inputs.variables_file_name }} inside the run: block and instead expose it via an environment variable such as VARIABLES_FILE_NAME. Then, update both the Validate Nomad Configurations and Run Nomad Pack Plan steps to use "${VARIABLES_FILE_NAME}" in the --var-file argument. To keep behavior unchanged, we will:
- Add
VARIABLES_FILE_NAME: ${{ inputs.variables_file_name }}to theenv:section of both steps. - Replace
--var-file=${{ inputs.variables_file_name }}with--var-file="$VARIABLES_FILE_NAME"in therun:scripts.
This preserves the same effective argument content while removing direct expression interpolation from the shell command and allowing proper shell quoting.
| @@ -185,6 +185,7 @@ | ||
| NOMAD_VAR_task_image: ${{ inputs.image_name }} | ||
| NOMAD_VAR_cluster: ${{ inputs.cluster }} | ||
| NOMAD_VAR_environment: ${{ inputs.environment }} | ||
| VARIABLES_FILE_NAME: ${{ inputs.variables_file_name }} | ||
| run: | | ||
| nomad-pack render ${{ inputs.pack_name }} \ | ||
| --var='task_image=${{ inputs.image_name }}' \ | ||
| @@ -192,7 +193,7 @@ | ||
| --var='cluster=${{ inputs.cluster }}' \ | ||
| --var='environment=${{ inputs.environment }}' \ | ||
| --var='code_version=${{ inputs.code_version || steps.checkout.outputs.commit }}' \ | ||
| --var-file=${{ inputs.variables_file_name }} --ignore-missing-vars \ | ||
| --var-file="$VARIABLES_FILE_NAME" --ignore-missing-vars \ | ||
| --name=${{ inputs.name }} --registry=remerge-pack \ | ||
| | tail -n +2 | nomad job validate - | ||
|
|
||
| @@ -202,6 +203,7 @@ | ||
| env: | ||
| NOMAD_TOKEN: ${{ env.NOMAD_TOKEN }} | ||
| NOMAD_ADDR: ${{ inputs.api_url }} | ||
| VARIABLES_FILE_NAME: ${{ inputs.variables_file_name }} | ||
| # continue on error; default is `bash -e {0}` | ||
| shell: bash {0} | ||
| run: | | ||
| @@ -211,7 +213,7 @@ | ||
| --var='cluster=${{ inputs.cluster }}' \ | ||
| --var='environment=${{ inputs.environment }}' \ | ||
| --var='code_version=${{ inputs.code_version || steps.checkout.outputs.commit }}' \ | ||
| --var-file=${{ inputs.variables_file_name }} --ignore-missing-vars \ | ||
| --var-file="$VARIABLES_FILE_NAME" --ignore-missing-vars \ | ||
| --name=${{ inputs.name }} --registry=remerge-pack \ | ||
| --exit-code-makes-changes=0) | ||
|
|
3 participants
https://remerge.atlassian.net/browse/CORE-1540