From 0a35ca7cba9d1db7a0574ff24a84efa6f785e634 Mon Sep 17 00:00:00 2001 From: Adam Dangoor Date: Tue, 17 Mar 2026 08:15:00 +0000 Subject: [PATCH 1/5] Move release and tag version into env vars to prevent template injection --- .github/workflows/release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 097227229..939cd0fe1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,8 +45,10 @@ jobs: - name: Get the changelog underline id: changelog_underline + env: + RELEASE: ${{ steps.calver.outputs.release }} run: | - underline="$(echo "${{ steps.calver.outputs.release }}" | tr -c '\n' '-')" + underline="$(echo "$RELEASE" | tr -c '\n' '-')" echo "underline=${underline}" >> "$GITHUB_OUTPUT" - name: Update changelog From edbd6880d8f67e67b712b754a8be247c79c3ef1a Mon Sep 17 00:00:00 2001 From: Adam Dangoor Date: Tue, 17 Mar 2026 08:26:13 +0000 Subject: [PATCH 2/5] Enable template-injection rule in zizmor config Made-with: Cursor --- zizmor.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/zizmor.yml b/zizmor.yml index fab119cb0..863db3458 100644 --- a/zizmor.yml +++ b/zizmor.yml @@ -10,5 +10,3 @@ rules: disable: true superfluous-actions: disable: true - template-injection: - disable: true From bb1edd162a2139439728c917c9338d188b538552 Mon Sep 17 00:00:00 2001 From: Adam Dangoor Date: Tue, 17 Mar 2026 08:30:10 +0000 Subject: [PATCH 3/5] Fix template-injection in Check steps Made-with: Cursor --- .github/workflows/release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 939cd0fe1..97a07983b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -66,8 +66,10 @@ jobs: regex: false - name: Check Update changelog was modified + env: + MODIFIED_FILES: ${{ steps.update_changelog.outputs.modifiedFiles }} run: | - if [ "${{ steps.update_changelog.outputs.modifiedFiles }}" = "0" ]; then + if [ "$MODIFIED_FILES" = "0" ]; then echo "Error: No files were modified when updating changelog" exit 1 fi From 457963fb6c92070f9a4aead7d9b356d5e2b53644 Mon Sep 17 00:00:00 2001 From: Adam Dangoor Date: Tue, 17 Mar 2026 08:45:44 +0000 Subject: [PATCH 4/5] Fix remaining template-injection findings and check-manifest Made-with: Cursor --- .github/workflows/test.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ae8be6bd2..44d2bbd79 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -131,15 +131,16 @@ jobs: cache-dependency-glob: '**/pyproject.toml' - name: Set secrets file - run: | - # See the "CI Setup" document for details of how this was set up. - ci/decrypt_secret.sh - tar xvf "${HOME}"/secrets/secrets.tar - cp ./ci_secrets/vuforia_secrets_${{ strategy.job-index }}.env ./vuforia_secrets.env env: CI_PATTERN: ${{ matrix.ci_pattern }} ENCRYPTED_FILE: secrets.tar.gpg LARGE_SECRET_PASSPHRASE: ${{ secrets.PASSPHRASE_FOR_VUFORIA_SECRETS }} + JOB_INDEX: ${{ strategy.job-index }} + run: | + # See the "CI Setup" document for details of how this was set up. + ci/decrypt_secret.sh + tar xvf "${HOME}"/secrets/secrets.tar + cp ./ci_secrets/vuforia_secrets_${JOB_INDEX}.env ./vuforia_secrets.env # We have seen issues with running out of disk space on test_docker - name: Free Disk Space (Ubuntu) From 07d92f94929fb327990fbe9050f731da54295e24 Mon Sep 17 00:00:00 2001 From: Adam Dangoor Date: Tue, 17 Mar 2026 08:57:01 +0000 Subject: [PATCH 5/5] fix: quote JOB_INDEX in cp command for shellcheck SC2086 Made-with: Cursor --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 44d2bbd79..323819b55 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -140,7 +140,7 @@ jobs: # See the "CI Setup" document for details of how this was set up. ci/decrypt_secret.sh tar xvf "${HOME}"/secrets/secrets.tar - cp ./ci_secrets/vuforia_secrets_${JOB_INDEX}.env ./vuforia_secrets.env + cp "./ci_secrets/vuforia_secrets_${JOB_INDEX}.env" ./vuforia_secrets.env # We have seen issues with running out of disk space on test_docker - name: Free Disk Space (Ubuntu)