From 01db727fa2484390b64ec3864e2354b96895143e Mon Sep 17 00:00:00 2001 From: Hamish Willee Date: Thu, 14 Aug 2025 17:38:14 +1000 Subject: [PATCH] Fix workflow vulnerabilities in flaw checker and comments (#25419) * docs_pr_comment.yml - fix script expansion issue * Fix flaw checker too * docs_flaw_checker.yml - tj-actions/changed files to latest Fixes security bug in using vulnerable version --------- Co-authored-by: PX4BuildBot --- .github/workflows/docs_flaw_checker.yml | 26 +++++++++++++++++-------- .github/workflows/docs_pr_comment.yml | 8 ++++++-- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/.github/workflows/docs_flaw_checker.yml b/.github/workflows/docs_flaw_checker.yml index 20f886c891..c0d15c76de 100644 --- a/.github/workflows/docs_flaw_checker.yml +++ b/.github/workflows/docs_flaw_checker.yml @@ -29,7 +29,7 @@ jobs: - name: Get changed english doc files id: get_changed_markdown_english - uses: tj-actions/changed-files@v35.9.2 + uses: tj-actions/changed-files@v46.0.5 with: json: true base_sha: "${{ github.event.pull_request.base.sha }}" @@ -42,14 +42,23 @@ jobs: - name: Save JSON file containing files to link check run: | - echo "${{ steps.get_changed_markdown_english.outputs.all_changed_files }}" - echo "${{ steps.get_changed_markdown_english.outputs.all_changed_files }}" > ./logs/prFiles.json + echo "$ALL_CHANGED_FILES" + echo "$ALL_CHANGED_FILES" > ./logs/prFiles.json + env: + ALL_CHANGED_FILES: ${{ steps.get_changed_markdown_english.outputs.all_changed_files }} - name: Run link checker id: link-check run: | npm -g install markdown_link_checker_sc@0.0.138 - markdown_link_checker_sc -r ${{ github.workspace }} -d docs -e en -f ./logs/prFiles.json -i assets -u docs.px4.io/main/ > ./logs/errorsFilteredByPrPages.md + markdown_link_checker_sc \ + -r "$GITHUB_WORKSPACE" \ + -d docs \ + -e en \ + -f ./logs/prFiles.json \ + -i assets \ + -u docs.px4.io/main/ \ + > ./logs/errorsFilteredByPrPages.md mkdir -p ./pr cp ./logs/errorsFilteredByPrPages.md ./pr/errorsFilteredByPrPages.md @@ -60,14 +69,15 @@ jobs: path: ./logs/errorsFilteredByPrPages.md - name: Echo Errors by Page - run: echo "${{ steps.read-errors-by-page.outputs.content }}" + run: echo "$ERRORS" + env: + ERRORS: ${{ steps.read-errors-by-page.outputs.content }} - name: Save PR number + run: echo "$PR_NUMBER" > ./pr/pr_number env: PR_NUMBER: ${{ github.event.number }} - run: | - #mkdir -p ./pr - echo $PR_NUMBER > ./pr/pr_number + - uses: actions/upload-artifact@v4 with: name: pr_number diff --git a/.github/workflows/docs_pr_comment.yml b/.github/workflows/docs_pr_comment.yml index 0d9b9a9066..41e443a786 100644 --- a/.github/workflows/docs_pr_comment.yml +++ b/.github/workflows/docs_pr_comment.yml @@ -4,6 +4,7 @@ on: workflows: ["Docs - Check for flaws in PX4 Guide Source"] types: - completed + jobs: comment: permissions: @@ -56,8 +57,11 @@ jobs: - name: File detail info run: | - echo "${{ steps.read-errors-by-page.outputs.content }}" - echo "${{ steps.read-error-pr-number.outputs.content }}" + echo "$ERRORS" + echo "$PRNUM" + env: + ERRORS: ${{ steps.read-errors-by-page.outputs.content }} + PRNUM: ${{ steps.read-error-pr-number.outputs.content }} - name: Create or update comment id: comment_to_pr