From 445336aad9a72dc4a3de6cf2e7ad212517f94558 Mon Sep 17 00:00:00 2001 From: ActoryOu Date: Mon, 4 Nov 2024 17:23:28 +0800 Subject: [PATCH] Follow GitHub recommendation to update release.yml (#1178) GitHub recommends to store user inputs in environments variables and then use them in scripts. This PR updates the code as per the GitHub recommendation. Details here - https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections. --- .github/workflows/auto-release.yml | 46 +++++++++++++++++++++--------- tasks.c | 2 +- 2 files changed, 34 insertions(+), 14 deletions(-) diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index bad7a9bce0..3477f65918 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -44,37 +44,49 @@ jobs: fetch-depth: 0 - name: Configure git identity + env: + ACTOR: ${{ github.actor }} run: | - git config --global user.name ${{ github.actor }} - git config --global user.email ${{ github.actor }}@users.noreply.github.com + git config --global user.name "$ACTOR" + git config --global user.email "$ACTOR"@users.noreply.github.com - name: create a new branch that references commit id + env: + VERSION_NUMBER: ${{ github.event.inputs.version_number }} + COMMIT_ID: ${{ github.event.inputs.commit_id }} working-directory: ./local_kernel run: | - git checkout -b ${{ github.event.inputs.version_number }} ${{ github.event.inputs.commit_id }} + git checkout -b "$VERSION_NUMBER" "$COMMIT_ID" echo "COMMIT_SHA_1=$(git rev-parse HEAD)" >> $GITHUB_ENV - name: Update source files with version info + env: + VERSION_NUMBER: ${{ github.event.inputs.version_number }} + MAIN_BR_VERSION_NUMBER: ${{ github.event.inputs.main_br_version }} + COMMIT_SHA_1: ${{ env.COMMIT_SHA_1 }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | # Install deps and run pip install -r ./tools/.github/scripts/release-requirements.txt - ./tools/.github/scripts/update_src_version.py FreeRTOS --kernel-repo-path=local_kernel --kernel-commit=${{ env.COMMIT_SHA_1 }} --new-kernel-version=${{ github.event.inputs.version_number }} --new-kernel-main-br-version=${{ github.event.inputs.main_br_version }} + ./tools/.github/scripts/update_src_version.py FreeRTOS --kernel-repo-path=local_kernel --kernel-commit="$COMMIT_SHA_1" --new-kernel-version="$VERSION_NUMBER" --new-kernel-main-br-version="$MAIN_BR_VERSION_NUMBER" exit $? - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name : Update version number in manifest.yml + env: + VERSION_NUMBER: ${{ github.event.inputs.version_number }} working-directory: ./local_kernel run: | - ./.github/scripts/manifest_updater.py -v ${{ github.event.inputs.version_number }} + ./.github/scripts/manifest_updater.py -v "$VERSION_NUMBER" exit $? - name : Commit version number change in manifest.yml + env: + VERSION_NUMBER: ${{ github.event.inputs.version_number }} working-directory: ./local_kernel run: | git add . git commit -m '[AUTO][RELEASE]: Update version number in manifest.yml' - git push -u origin ${{ github.event.inputs.version_number }} + git push -u origin "$VERSION_NUMBER" - name: Generate SBOM uses: FreeRTOS/CI-CD-Github-Actions/sbom-generator@main @@ -83,24 +95,32 @@ jobs: source_path: ./ - name: commit SBOM file + env: + VERSION_NUMBER: ${{ github.event.inputs.version_number }} working-directory: ./local_kernel run: | git add . git commit -m '[AUTO][RELEASE]: Update SBOM' - git push -u origin ${{ github.event.inputs.version_number }} + git push -u origin "$VERSION_NUMBER" echo "COMMIT_SHA_2=$(git rev-parse HEAD)" >> $GITHUB_ENV - name: Release + env: + VERSION_NUMBER: ${{ github.event.inputs.version_number }} + MAIN_BR_VERSION_NUMBER: ${{ github.event.inputs.main_br_version }} + COMMIT_SHA_2: ${{ env.COMMIT_SHA_2 }} + REPO_OWNER: ${{ github.repository_owner }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | # Install deps and run pip install -r ./tools/.github/scripts/release-requirements.txt - ./tools/.github/scripts/release.py ${{ github.repository_owner }} --kernel-repo-path=local_kernel --kernel-commit=${{ env.COMMIT_SHA_2 }} --new-kernel-version=${{ github.event.inputs.version_number }} --new-kernel-main-br-version=${{ github.event.inputs.main_br_version }} + ./tools/.github/scripts/release.py "$REPO_OWNER" --kernel-repo-path=local_kernel --kernel-commit="$COMMIT_SHA_2" --new-kernel-version="$VERSION_NUMBER" --new-kernel-main-br-version="$MAIN_BR_VERSION_NUMBER" exit $? - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Cleanup + env: + VERSION_NUMBER: ${{ github.event.inputs.version_number }} working-directory: ./local_kernel run: | # Delete the branch created for Tag by SBOM generator - git push -u origin --delete ${{ github.event.inputs.version_number }} + git push -u origin --delete "$VERSION_NUMBER" diff --git a/tasks.c b/tasks.c index 147b1aade8..421dea71df 100644 --- a/tasks.c +++ b/tasks.c @@ -3882,7 +3882,7 @@ void vTaskSuspendAll( void ) /* This must never be called from inside a critical section. */ configASSERT( portGET_CRITICAL_NESTING_COUNT() == 0 ); - /* portSOFRWARE_BARRIER() is only implemented for emulated/simulated ports that + /* portSOFTWARE_BARRIER() is only implemented for emulated/simulated ports that * do not otherwise exhibit real time behaviour. */ portSOFTWARE_BARRIER();