Follow GitHub recommendation to update release.yml (#1178)
GitHub recommends to store user inputs in environments variables
and then use them in scripts. This PR updates the code as per the
GitHub recommendation.
Details here - https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections.
diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index bad7a9b..3477f65 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -44,37 +44,49 @@
fetch-depth: 0
- name: Configure git identity
+ env:
+ ACTOR: ${{ github.actor }}
run: |
- git config --global user.name ${{ github.actor }}
- git config --global user.email ${{ github.actor }}@users.noreply.github.com
+ git config --global user.name "$ACTOR"
+ git config --global user.email "$ACTOR"@users.noreply.github.com
- name: create a new branch that references commit id
+ env:
+ VERSION_NUMBER: ${{ github.event.inputs.version_number }}
+ COMMIT_ID: ${{ github.event.inputs.commit_id }}
working-directory: ./local_kernel
run: |
- git checkout -b ${{ github.event.inputs.version_number }} ${{ github.event.inputs.commit_id }}
+ git checkout -b "$VERSION_NUMBER" "$COMMIT_ID"
echo "COMMIT_SHA_1=$(git rev-parse HEAD)" >> $GITHUB_ENV
- name: Update source files with version info
+ env:
+ VERSION_NUMBER: ${{ github.event.inputs.version_number }}
+ MAIN_BR_VERSION_NUMBER: ${{ github.event.inputs.main_br_version }}
+ COMMIT_SHA_1: ${{ env.COMMIT_SHA_1 }}
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Install deps and run
pip install -r ./tools/.github/scripts/release-requirements.txt
- ./tools/.github/scripts/update_src_version.py FreeRTOS --kernel-repo-path=local_kernel --kernel-commit=${{ env.COMMIT_SHA_1 }} --new-kernel-version=${{ github.event.inputs.version_number }} --new-kernel-main-br-version=${{ github.event.inputs.main_br_version }}
+ ./tools/.github/scripts/update_src_version.py FreeRTOS --kernel-repo-path=local_kernel --kernel-commit="$COMMIT_SHA_1" --new-kernel-version="$VERSION_NUMBER" --new-kernel-main-br-version="$MAIN_BR_VERSION_NUMBER"
exit $?
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name : Update version number in manifest.yml
+ env:
+ VERSION_NUMBER: ${{ github.event.inputs.version_number }}
working-directory: ./local_kernel
run: |
- ./.github/scripts/manifest_updater.py -v ${{ github.event.inputs.version_number }}
+ ./.github/scripts/manifest_updater.py -v "$VERSION_NUMBER"
exit $?
- name : Commit version number change in manifest.yml
+ env:
+ VERSION_NUMBER: ${{ github.event.inputs.version_number }}
working-directory: ./local_kernel
run: |
git add .
git commit -m '[AUTO][RELEASE]: Update version number in manifest.yml'
- git push -u origin ${{ github.event.inputs.version_number }}
+ git push -u origin "$VERSION_NUMBER"
- name: Generate SBOM
uses: FreeRTOS/CI-CD-Github-Actions/sbom-generator@main
@@ -83,24 +95,32 @@
source_path: ./
- name: commit SBOM file
+ env:
+ VERSION_NUMBER: ${{ github.event.inputs.version_number }}
working-directory: ./local_kernel
run: |
git add .
git commit -m '[AUTO][RELEASE]: Update SBOM'
- git push -u origin ${{ github.event.inputs.version_number }}
+ git push -u origin "$VERSION_NUMBER"
echo "COMMIT_SHA_2=$(git rev-parse HEAD)" >> $GITHUB_ENV
- name: Release
+ env:
+ VERSION_NUMBER: ${{ github.event.inputs.version_number }}
+ MAIN_BR_VERSION_NUMBER: ${{ github.event.inputs.main_br_version }}
+ COMMIT_SHA_2: ${{ env.COMMIT_SHA_2 }}
+ REPO_OWNER: ${{ github.repository_owner }}
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Install deps and run
pip install -r ./tools/.github/scripts/release-requirements.txt
- ./tools/.github/scripts/release.py ${{ github.repository_owner }} --kernel-repo-path=local_kernel --kernel-commit=${{ env.COMMIT_SHA_2 }} --new-kernel-version=${{ github.event.inputs.version_number }} --new-kernel-main-br-version=${{ github.event.inputs.main_br_version }}
+ ./tools/.github/scripts/release.py "$REPO_OWNER" --kernel-repo-path=local_kernel --kernel-commit="$COMMIT_SHA_2" --new-kernel-version="$VERSION_NUMBER" --new-kernel-main-br-version="$MAIN_BR_VERSION_NUMBER"
exit $?
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Cleanup
+ env:
+ VERSION_NUMBER: ${{ github.event.inputs.version_number }}
working-directory: ./local_kernel
run: |
# Delete the branch created for Tag by SBOM generator
- git push -u origin --delete ${{ github.event.inputs.version_number }}
+ git push -u origin --delete "$VERSION_NUMBER"
diff --git a/tasks.c b/tasks.c
index 147b1aa..421dea7 100644
--- a/tasks.c
+++ b/tasks.c
@@ -3882,7 +3882,7 @@
/* This must never be called from inside a critical section. */
configASSERT( portGET_CRITICAL_NESTING_COUNT() == 0 );
- /* portSOFRWARE_BARRIER() is only implemented for emulated/simulated ports that
+ /* portSOFTWARE_BARRIER() is only implemented for emulated/simulated ports that
* do not otherwise exhibit real time behaviour. */
portSOFTWARE_BARRIER();
