diff options
| author | Linus Färnstrand <faern@faern.net> | 2023-04-27 13:58:50 +0200 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2023-04-27 14:06:26 +0200 |
| commit | 9c623cc0b67d24f66ec0dfa6736b86182ff2e486 (patch) | |
| tree | 7281b463f78cf8152d693291d244efabdffa0f1b /.github | |
| parent | 75361cba9eae35764b3a22b1e535a7d2b5ce2a53 (diff) | |
| download | mullvadvpn-9c623cc0b67d24f66ec0dfa6736b86182ff2e486.tar.xz mullvadvpn-9c623cc0b67d24f66ec0dfa6736b86182ff2e486.zip | |
Temporary fix to avoid the reported vuln: GHSA-x5vj-ch4c-g3jr
Diffstat (limited to '.github')
| -rw-r--r-- | .github/workflows/verify-locked-down-signatures.yml | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/.github/workflows/verify-locked-down-signatures.yml b/.github/workflows/verify-locked-down-signatures.yml index 0e4f281a51..459545ac4c 100644 --- a/.github/workflows/verify-locked-down-signatures.yml +++ b/.github/workflows/verify-locked-down-signatures.yml @@ -29,8 +29,9 @@ jobs: run: |- commits=${{ github.event.pull_request.commits }} if [[ -n "$commits" ]]; then - # Prepare enough depth for diffs with main, currently hard-coded but should probably be - # whatever branch is merged into - git fetch --depth="$(( commits + 1 ))" origin ${{ github.head_ref }} main + echo "Fetching $commits commits" + # FIXME: Temporarily simplified to avoid: + # https://securitylab.github.com/research/github-actions-untrusted-input/#script-injections + git fetch --depth="$(( commits + 1 ))" fi ci/verify-locked-down-signatures.sh --import-gpg-keys --whitelist origin/main |