Merge pull request #28 from yesolutions/cve-2022-24765

CVE 2022-24765
yesolutions · Apr 21, 2022 · 082a961 · 082a961
2 parents a988317 + ab56006
commit 082a961
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 8 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -18,9 +18,11 @@ jobs:
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-    - uses: actions/checkout@v1
+    - uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
     - name: mirror-repository
-      uses: spyoungtech/[email protected].0
+      uses: spyoungtech/[email protected].1
       with:
         REMOTE: [email protected]:spyoungtech/mirror-action.git
         GIT_SSH_PRIVATE_KEY: ${{ secrets.GIT_SSH_KEY }}

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine/git:latest
+FROM alpine/git@sha256:ec76d75a4b5367f16cf6dc859e23c06656761ad4dfcb1716c1800582ce05f5e8
 
 RUN apk --no-cache add bash
 

diff --git a/README.md b/README.md
@@ -13,7 +13,9 @@ For example, this project uses the following workflow to mirror from GitHub to G
 on: [push]
   ...
       steps:
-        - uses: actions/checkout@v1
+        - uses: actions/checkout@v3
+          with:
+            fetch-depth: 0
         - uses: yesolutions/mirror-action@master
           with:
             REMOTE: 'https://gitlab.com/spyoungtech/mirror-action.git'
@@ -40,7 +42,9 @@ Pretty much the same, but using `GIT_SSH_PRIVATE_KEY` and `GIT_SSH_KNOWN_HOSTS`
 
 ```yaml
       steps:
-        - uses: actions/checkout@v1
+        - uses: actions/checkout@v3
+          with:
+            fetch-depth: 0
         - uses: yesolutions/mirror-action@master
           with:
             REMOTE: 'ssh://[email protected]/spyoungtech/mirror-action.git'
@@ -58,7 +62,9 @@ you can do so by using the `GIT_SSH_NO_VERIFY_HOST` input option. e.g.
 
 ```yaml
       steps:
-        - uses: actions/checkout@v1
+        - uses: actions/checkout@v3
+          with:
+            fetch-depth: 0
         - uses: yesolutions/mirror-action@master
           with:
             REMOTE: [email protected]/spyoungtech/mirror-action.git

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -5,6 +5,8 @@ if [[ "${DEBUG}" -eq "true" ]]; then
     set -x
 fi
 
+git config --global --add safe.directory /github/workspace
+
 GIT_USERNAME=${INPUT_GIT_USERNAME:-${GIT_USERNAME:-"git"}}
 REMOTE=${INPUT_REMOTE:-"$*"}
 REMOTE_NAME=${INPUT_REMOTE_NAME:-"mirror"}
@@ -15,13 +17,12 @@ GIT_SSH_NO_VERIFY_HOST=${INPUT_GIT_SSH_NO_VERIFY_HOST}
 GIT_SSH_KNOWN_HOSTS=${INPUT_GIT_SSH_KNOWN_HOSTS}
 HAS_CHECKED_OUT="$(git rev-parse --is-inside-work-tree 2>/dev/null || /bin/true)"
 
-
 if [[ "${HAS_CHECKED_OUT}" != "true" ]]; then
     echo "WARNING: repo not checked out; attempting checkout" > /dev/stderr
     echo "WARNING: this may result in missing commits in the remote mirror" > /dev/stderr
     echo "WARNING: this behavior is deprecated and will be removed in a future release" > /dev/stderr
     echo "WARNING: to remove this warning add the following to your yml job steps:" > /dev/stderr
-    echo " - uses: actions/checkout@v1" > /dev/stderr
+    echo " - uses: actions/checkout@v3" > /dev/stderr
     if [[ "${SRC_REPO}" -eq "" ]]; then
         echo "WARNING: SRC_REPO env variable not defined" > /dev/stderr
         SRC_REPO="https://github.com/${GITHUB_REPOSITORY}.git" > /dev/stderr