How much should I care about github.ref_name?
#102
-
|
I'm running zizmor against guac-visualizer's release workflow and one of the issues it reports is a template injection because we use It seems reasonable to me that we can simply ignore it. It might possibly be nice to be able to flag to zizmor somehow ("somehow" is doing a lot of work here) that it should always ignore a particular issue on a particular line because it's not a problem in reality (VEX statements, but for zizmor!). Alternatively, I think I could trick zizmor into not seeing it by shoving the output of I'm curious what others would do here. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
re: ignore, see #12 for that |
Beta Was this translation helpful? Give feedback.
-
|
Yep, agreed that this is the general solution! I'll also leave an adjacent comment about |
Beta Was this translation helpful? Give feedback.
-
FWIW, for In your particular case, I think that would be: pack build --env NODE_ENV=production ${IMAGE_URI}:${GITHUB_REF_NAME} --builder ${BUILDER} --buildpack ${BUILDPACK} --publish --sbom-output-dir ${BUILDPACK_SBOM_OUTPUT_DIR}
echo "IMAGE_DIGEST=$(crane digest ${IMAGE_URI}:${GITHUB_REF_NAME})" >> $GITHUB_OUTPUT(I recognize that this isn't a super satisfying general answer, but I figured I'd mention it just in case you weren't aware!) |
Beta Was this translation helpful? Give feedback.
FWIW, for
github.ref_namein particular, should be able to use theGITHUB_REF_NAMEenvironment variable as a direct replacement for it.In your particular case, I think that would be: