Skip to content

[SITE-5793] Fix script injection in Behat test workflow#552

Open
AnaisPantheor wants to merge 2 commits into
mainfrom
fix/script-injection
Open

[SITE-5793] Fix script injection in Behat test workflow#552
AnaisPantheor wants to merge 2 commits into
mainfrom
fix/script-injection

Conversation

@AnaisPantheor

Copy link
Copy Markdown
Contributor

Summary

  • Move ${{ secrets.GITHUB_TOKEN }} from run: block to env: block in test-behat.yml

Why

Using ${{ }} expressions directly inside run: blocks is a script injection vulnerability. Secrets interpolated into shell scripts can leak through error messages or shell tracing. The secure pattern is to pass them through env: blocks.

Test plan

  • Verify Behat tests still authenticate with Composer and run successfully

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@AnaisPantheor AnaisPantheor marked this pull request as ready for review June 29, 2026 19:16

@jazzsequence jazzsequence left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this even needed? GHA environments naturally have a GH_TOKEN environment variable. This would only be needed if the token needs to be a PAT belonging to an actual individual/GH account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants