How to pass parameters to the script? #56
Comments
|
The easiest way to do this is via Actions' expression evaluation syntax ( - uses: actions/github-script@v1
with:
script: |
console.log('${{ steps.step-id.outputs.output-name }}')Note that the expression evaluation happens before the action runs, so the raw value will be inserted into the script string (hence the need for quotes). This assumes that you have a previous step whose ID is "step-id" and that whose outputs include a value called "output-name". See "About contexts and expressions" and "steps context". If this doesn't answer your question, please reply with an example so I can get a clearer idea of what you mean 😄 Thank you! |
|
This is a great way to introduce code-injection. I discourage this. Scenario: So, given previous example, I'll create e.g. commit message with: this would indeed expand into |
|
@mdvorak That's correct! I would generally discourage blindly evaluating untrusted user-provided content in a workflow. This advice is not specific to this action, though, as all steps have access to the outputs of the steps before them, and code injection is just one of a number of problems that may arise when working with untrusted data. |
|
Thank you, but then OP question is still valid - how to securely pass string data from workflow to the script? Thanks |
|
@mdvorak The security depends partially on the provenance of the data. If the step output is created in a way the workflow implementer can trust, the solution I posted earlier is generally safe. If the output comes from untrusted data, then it's not. As far as I can tell, @acidos was not specifically asking how to safely and securely include literally any type of step output, trusted or untrusted. In the future, we could potentially attach step outputs to the toolkit context, but it's currently not possible. Such a feature would provide the prior steps' output in a JavaScript string that could be used at runtime, rather than interpolated via context expression syntax. Another, somewhat safer way of doing this would be to set the prior steps' output as an environment variable in subsequent steps, although this is not specific to this action, it's just something that can be done with the tools that Actions provides: - uses: actions/github-script@v1
env:
DATA: ${{ steps.step-id.outputs.output-name }}
with:
script: |
console.log(process.env.DATA)See the context and expression syntax documentation for more examples. |
|
Ah, via env var, that did not occur to me! But it is actually perfectly safe way to pass arbitrary (string) data to the script. EDIT: This pattern might be adept to be part of the examples, since using direct expressions in scripts is always potential vulnerability or at least bug. Better to avoid it completely. |
|
If you plan to use just provide the inputs manually as env vars as suggested above by @jclem, but with the expected format by inputs:
foo:
required: true
# ...
- uses: actions/github-script@v7
env:
INPUT_FOO: ${{ inputs.foo }} # this part hotfixes the bug
with:
script: |
console.log(core.getInput('foo'))note: the code of |
Composite actions do not get passed the input from the overall action - only the composite action. Address this by manually setting the appropriate env var to ensure the value is passed through. See: actions/github-script#56
I am trying to pass variable from previous action to
github-script, but can't figure out syntax. Is it possible at all?The text was updated successfully, but these errors were encountered: