fix security in gh action

2025-10-29 19:49:07 +00:00 · 2025-10-28 13:03:28 +07:00 · 2025-10-28 13:03:28 +07:00 · 417f44acab
commit 417f44acab
parent 113a763bc3
4 changed files with 38 additions and 21 deletions
--- a/.github/actions/get_deps/action.yml
+++ b/.github/actions/get_deps/action.yml
@ -26,7 +26,9 @@ runs:
      shell: bash

    - name: Get Dependencies
+      env:
+        ARG: ${{ inputs.arg }}
      run: |
-        python3 tools/get_deps.py ${{ inputs.arg }}
+        python3 tools/get_deps.py ${ARG}
        echo "PICO_SDK_PATH=${{ github.workspace }}/pico-sdk" >> $GITHUB_ENV
      shell: bash
--- a/.github/actions/setup_toolchain/action.yml
+++ b/.github/actions/setup_toolchain/action.yml
@ -30,8 +30,10 @@ runs:
        inputs.toolchain != 'arm-gcc' &&
        inputs.toolchain != 'esp-idf'
      id: set-toolchain-url
+      env:
+        TOOLCHAIN: ${{ inputs.toolchain }}
      run: |
-        TOOLCHAIN_URL=$(jq -r '."${{ inputs.toolchain }}"' .github/actions/setup_toolchain/toolchain.json)
+        TOOLCHAIN_URL=$(jq -r '."$TOOLCHAIN"' .github/actions/setup_toolchain/toolchain.json)
        echo "toolchain_url=$TOOLCHAIN_URL"
        echo "toolchain_url=$TOOLCHAIN_URL" >> $GITHUB_OUTPUT
      shell: bash
@ -47,11 +49,13 @@ runs:

    - name: Set toolchain option
      id: set-toolchain-option
+      env:
+        TOOLCHAIN: ${{ inputs.toolchain }}
      run: |
          BUILD_OPTION=""
-          if [[ "${{ inputs.toolchain }}" == *"clang"* ]]; then
+          if [[ "$TOOLCHAIN" == *"clang"* ]]; then
            BUILD_OPTION="--toolchain clang"
-          elif [[ "${{ inputs.toolchain }}" == "arm-iar" ]]; then
+          elif [[ "$TOOLCHAIN" == "arm-iar" ]]; then
            BUILD_OPTION="--toolchain iar"
          fi
          echo "build_option=$BUILD_OPTION"
--- a/.github/actions/setup_toolchain/download/action.yml
+++ b/.github/actions/setup_toolchain/download/action.yml
@ -21,29 +21,34 @@ runs:

    - name: Install Toolchain
      if: steps.cache-toolchain-download.outputs.cache-hit != 'true'
+      env:
+        TOOLCHAIN: ${{ inputs.toolchain }}
+        TOOLCHAIN_URL: ${{ inputs.toolchain_url }}
      run: |
-        mkdir -p ~/cache/${{ inputs.toolchain }}
+        mkdir -p ~/cache/${TOOLCHAIN}

-        if [[ ${{ inputs.toolchain }} == rx-gcc ]]; then
-          wget --progress=dot:giga ${{ inputs.toolchain_url }} -O toolchain.run
+        if [[ ${TOOLCHAIN} == rx-gcc ]]; then
+          wget --progress=dot:giga ${TOOLCHAIN_URL} -O toolchain.run
          chmod +x toolchain.run
-          ./toolchain.run -p ~/cache/${{ inputs.toolchain }}/gnurx -y
-        elif [[ ${{ inputs.toolchain }} == arm-iar ]]; then
-          wget --progress=dot:giga https://netstorage.iar.com/FileStore/STANDARD/001/003/926/iar-lmsc-tools_1.8_amd64.deb -O ~/cache/${{ inputs.toolchain }}/iar-lmsc-tools.deb
-          wget --progress=dot:giga ${{ inputs.toolchain_url }} -O ~/cache/${{ inputs.toolchain }}/cxarm.deb
+          ./toolchain.run -p ~/cache/${TOOLCHAIN}/gnurx -y
+        elif [[ ${TOOLCHAIN} == arm-iar ]]; then
+          wget --progress=dot:giga https://netstorage.iar.com/FileStore/STANDARD/001/003/926/iar-lmsc-tools_1.8_amd64.deb -O ~/cache/${TOOLCHAIN}/iar-lmsc-tools.deb
+          wget --progress=dot:giga ${TOOLCHAIN_URL} -O ~/cache/${TOOLCHAIN}/cxarm.deb
        else
-          wget --progress=dot:giga ${{ inputs.toolchain_url }} -O toolchain.tar.gz
-          tar -C ~/cache/${{ inputs.toolchain }} -xaf toolchain.tar.gz
+          wget --progress=dot:giga ${TOOLCHAIN_URL} -O toolchain.tar.gz
+          tar -C ~/cache/${TOOLCHAIN} -xaf toolchain.tar.gz
        fi
      shell: bash

    - name: Setup Toolchain
+      env:
+        TOOLCHAIN: ${{ inputs.toolchain }}
      run: |
-        if [[ ${{ inputs.toolchain }} == arm-iar ]]; then
-          sudo dpkg -i ~/cache/${{ inputs.toolchain }}/iar-lmsc-tools.deb
-          sudo apt install -y ~/cache/${{ inputs.toolchain }}/cxarm.deb
+        if [[ ${TOOLCHAIN} == arm-iar ]]; then
+          sudo dpkg -i ~/cache/${TOOLCHAIN}/iar-lmsc-tools.deb
+          sudo apt install -y ~/cache/${TOOLCHAIN}/cxarm.deb
          echo >> $GITHUB_PATH "/opt/iar/cxarm/arm/bin"
        else
-          echo >> $GITHUB_PATH `echo ~/cache/${{ inputs.toolchain }}/*/bin`
+          echo >> $GITHUB_PATH `echo ~/cache/${TOOLCHAIN}/*/bin`
        fi
      shell: bash
--- a/.github/actions/setup_toolchain/espressif/action.yml
+++ b/.github/actions/setup_toolchain/espressif/action.yml
@ -13,8 +13,10 @@ runs:
  using: "composite"
  steps:
    - name: Set DOCKER_ESP_IDF
+      env:
+        TOOLCHAIN: ${{ inputs.toolchain }}
      run: |
-        DOCKER_ESP_IDF=$HOME/cache/${{ inputs.toolchain }}/docker_image.tar
+        DOCKER_ESP_IDF=$HOME/cache/${TOOLCHAIN}/docker_image.tar
        echo "DOCKER_ESP_IDF=$DOCKER_ESP_IDF" >> $GITHUB_ENV
      shell: bash

@ -27,10 +29,12 @@ runs:

    - name: Pull and Save Docker Image
      if: steps.cache-toolchain-espressif.outputs.cache-hit != 'true'
+      env:
+        TOOLCHAIN_VERSION: ${{ inputs.toolchain_version }}
      run: |
-        docker pull espressif/idf:${{ inputs.toolchain_version }}
+        docker pull espressif/idf:${TOOLCHAIN_VERSION}
        mkdir -p $(dirname $DOCKER_ESP_IDF)
-        docker save -o $DOCKER_ESP_IDF espressif/idf:${{ inputs.toolchain_version }}
+        docker save -o $DOCKER_ESP_IDF espressif/idf:${TOOLCHAIN_VERSION}
        du -sh $DOCKER_ESP_IDF
      shell: bash

@ -42,7 +46,9 @@ runs:
      shell: bash

    - name: Tag Local Image
+      env:
+        TOOLCHAIN_VERSION: ${{ inputs.toolchain_version }}
      run: |
-        docker tag espressif/idf:${{ inputs.toolchain_version }} espressif/idf:tinyusb
+        docker tag espressif/idf:${TOOLCHAIN_VERSION} espressif/idf:tinyusb
        docker images
      shell: bash