mirror of
https://github.com/yewstack/yew.git
synced 2026-03-31 18:10:10 +00:00
73a970b3df
* fix: variable interpolation/injection in scripts github actions variable interpolation works differently than interpolation in bash syntax. The only safe way for untrusted user input is in general to store it in an env variable for scripts to access and use plain old bash string interpolation. The place where variables are still interpolated 'raw' are places that are either guaranteed to be a commit hash, or a number, as per github action inputs. * be resilient against expansion in 'publish' workflow even though this requires elevated access, pass event input as an environment variable in the 'publish' workflow to avoid injection of arbitrary commands frrom the input string