Fix broken github CI script caused by CVE fix

The github CI code broke due to a code injection vulnerability
being fixed in a quick-and-dirty way. The dirty solution is here
cleaned up and works better than previously.

1 files changed, 4 insertions, 8 deletions

diff --git a/.github/workflows/verify-locked-down-signatures.yml b/.github/workflows/verify-locked-down-signatures.yml
index 459545ac4c..b246910c87 100644
--- a/.github/workflows/verify-locked-down-signatures.yml
+++ b/.github/workflows/verify-locked-down-signatures.yml
@@ -12,7 +12,7 @@ on:
       - ios/MullvadVPN.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved
       - android/gradle/verification-metadata.xml
       - android/gradle/wrapper/gradle-wrapper.properties
-      - building/build-and-publish.sh
+      - building/build-and-publish-container-image.sh
       - building/mullvad-app-container-signing.asc
       - building/linux-container-image.txt
       - building/android-container-image.txt
@@ -27,11 +27,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Verify signatures
         run: |-
-          commits=${{ github.event.pull_request.commits }}
-          if [[ -n "$commits" ]]; then
-              echo "Fetching $commits commits"
-              # FIXME: Temporarily simplified to avoid:
-              # https://securitylab.github.com/research/github-actions-untrusted-input/#script-injections
-              git fetch --depth="$(( commits + 1 ))"
-          fi
+          base_ref=${{ github.event.pull_request.base.sha }}
+          head_ref=${{ github.event.pull_request.head.sha }}
+          git fetch --no-recurse-submodules --shallow-exclude=main origin main $base_ref $head_ref
           ci/verify-locked-down-signatures.sh --import-gpg-keys --whitelist origin/main