Follow GitHub recommendation to update release.yml (#1178)

GitHub recommends to store user inputs in environments variables and then use them in scripts. This PR updates the code as per the GitHub recommendation. Details here - https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections.
2025-04-19 13:01:57 -04:00 · 2024-11-04 17:23:28 +08:00 · 2024-11-04 17:23:28 +08:00 · 445336aad9
parent 7d76dceaad
commit 445336aad9
2 changed files with 34 additions and 14 deletions
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@ -44,37 +44,49 @@ jobs:
          fetch-depth: 0

      - name: Configure git identity
+        env:
+          ACTOR: ${{ github.actor }}
        run: |
-          git config --global user.name ${{ github.actor }}
-          git config --global user.email ${{ github.actor }}@users.noreply.github.com
+          git config --global user.name "$ACTOR"
+          git config --global user.email "$ACTOR"@users.noreply.github.com

      - name: create a new branch that references commit id
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
+          COMMIT_ID: ${{ github.event.inputs.commit_id }}
        working-directory: ./local_kernel
        run: |
-          git checkout -b ${{ github.event.inputs.version_number }} ${{ github.event.inputs.commit_id }}
+          git checkout -b "$VERSION_NUMBER" "$COMMIT_ID"
          echo "COMMIT_SHA_1=$(git rev-parse HEAD)" >> $GITHUB_ENV

      - name: Update source files with version info
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
+          MAIN_BR_VERSION_NUMBER: ${{ github.event.inputs.main_br_version }}
+          COMMIT_SHA_1: ${{ env.COMMIT_SHA_1 }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          # Install deps and run
          pip install -r ./tools/.github/scripts/release-requirements.txt
-          ./tools/.github/scripts/update_src_version.py FreeRTOS --kernel-repo-path=local_kernel --kernel-commit=${{ env.COMMIT_SHA_1 }} --new-kernel-version=${{ github.event.inputs.version_number }} --new-kernel-main-br-version=${{ github.event.inputs.main_br_version }}
+          ./tools/.github/scripts/update_src_version.py FreeRTOS --kernel-repo-path=local_kernel --kernel-commit="$COMMIT_SHA_1" --new-kernel-version="$VERSION_NUMBER" --new-kernel-main-br-version="$MAIN_BR_VERSION_NUMBER"
          exit $?
-        env:
-            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name : Update version number in manifest.yml
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
        working-directory: ./local_kernel
        run: |
-          ./.github/scripts/manifest_updater.py -v ${{ github.event.inputs.version_number }}
+          ./.github/scripts/manifest_updater.py -v "$VERSION_NUMBER"
          exit $?

      - name : Commit version number change in manifest.yml
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
        working-directory: ./local_kernel
        run: |
          git add .
          git commit -m '[AUTO][RELEASE]: Update version number in manifest.yml'
-          git push -u origin ${{ github.event.inputs.version_number }}
+          git push -u origin "$VERSION_NUMBER"

      - name: Generate SBOM
        uses: FreeRTOS/CI-CD-Github-Actions/sbom-generator@main
@ -83,24 +95,32 @@ jobs:
          source_path: ./

      - name: commit SBOM file
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
        working-directory: ./local_kernel
        run: |
          git add .
          git commit -m '[AUTO][RELEASE]: Update SBOM'
-          git push -u origin ${{ github.event.inputs.version_number }}
+          git push -u origin "$VERSION_NUMBER"
          echo "COMMIT_SHA_2=$(git rev-parse HEAD)" >> $GITHUB_ENV

      - name: Release
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
+          MAIN_BR_VERSION_NUMBER: ${{ github.event.inputs.main_br_version }}
+          COMMIT_SHA_2: ${{ env.COMMIT_SHA_2 }}
+          REPO_OWNER: ${{ github.repository_owner }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          # Install deps and run
          pip install -r ./tools/.github/scripts/release-requirements.txt
-          ./tools/.github/scripts/release.py ${{ github.repository_owner }} --kernel-repo-path=local_kernel --kernel-commit=${{ env.COMMIT_SHA_2 }} --new-kernel-version=${{ github.event.inputs.version_number }} --new-kernel-main-br-version=${{ github.event.inputs.main_br_version }}
+          ./tools/.github/scripts/release.py "$REPO_OWNER" --kernel-repo-path=local_kernel --kernel-commit="$COMMIT_SHA_2" --new-kernel-version="$VERSION_NUMBER" --new-kernel-main-br-version="$MAIN_BR_VERSION_NUMBER"
          exit $?
-        env:
-            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Cleanup
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
        working-directory: ./local_kernel
        run: |
          # Delete the branch created for Tag by SBOM generator
-          git push -u origin --delete ${{ github.event.inputs.version_number }}
+          git push -u origin --delete "$VERSION_NUMBER"
--- a/tasks.c
+++ b/tasks.c
@ -3882,7 +3882,7 @@ void vTaskSuspendAll( void )
            /* This must never be called from inside a critical section. */
            configASSERT( portGET_CRITICAL_NESTING_COUNT() == 0 );

-            /* portSOFRWARE_BARRIER() is only implemented for emulated/simulated ports that
+            /* portSOFTWARE_BARRIER() is only implemented for emulated/simulated ports that
             * do not otherwise exhibit real time behaviour. */
            portSOFTWARE_BARRIER();