ci: use --sandbox for dynamically generated sed scripts

HastD · HastD · commit 3f4af378f437 · 2025-12-01T08:43:05.000-05:00
sed scripts are capable of doing file I/O and executing arbitrary
commands. The `--sandbox` option prevents this by rejecting sed commands
with such capabilities; it's good practice to use this whenever the sed
script is dynamically generated (e.g. if it involves a variable
expansion).

Also fixed an error in one sed script where `.*` had been placed outside
of the quoted string (and would therefore be subject to shell globbing),
presumably due to single-quotes having been changed to double-quotes at
some point in the past.

Signed-off-by: Daniel Hast &lt;hast.daniel@protonmail.com&gt;
diff --git a/.github/workflows/dev-bump.yml b/.github/workflows/dev-bump.yml
@@ -34,7 +34,7 @@ jobs:
               echo "::notice:: bumping z up to $devbump"
           fi
 
-          sed -i "s/const RawVersion = ".*"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go
+          sed --sandbox -i -e "s/const RawVersion = \".*\"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go
 
           echo "devbump=$devbump" >> $GITHUB_OUTPUT
       - name: Push
@@ -121,7 +121,7 @@ jobs:
           devbump="$(IFS=. ; echo "${arr[*]}")-dev"
           echo "::notice:: Bumping main to: $devbump"
 
-          sed -i "s/const RawVersion = \".*\"/const RawVersion = \"$devbump\"/g" version/rawversion/version.go
+          sed --sandbox -i -e "s/const RawVersion = \".*\"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go
 
           echo "devbump=$devbump" >> $GITHUB_OUTPUT
       - name: Push
diff --git a/.github/workflows/first_contrib_cert_generator.yml b/.github/workflows/first_contrib_cert_generator.yml
@@ -71,9 +71,9 @@ jobs:
           PR_NUMBER="${{ github.event.inputs.pr_number || github.event.pull_request.number }}"
           MERGE_DATE=$(date -u +"%B %d, %Y")
 
-          sed -i "/id=\"contributorName\"/s/value=\"[^\"]*\"/value=\"${CONTRIBUTOR_NAME}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update contributor name."; exit 1; }
-          sed -i "/id=\"prNumber\"/s/value=\"[^\"]*\"/value=\"#${PR_NUMBER}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update PR number."; exit 1; }
-          sed -i "/id=\"mergeDate\"/s/value=\"[^\"]*\"/value=\"${MERGE_DATE}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update merge date."; exit 1; }
+          sed --sandbox -i -e "/id=\"contributorName\"/s/value=\"[^\"]*\"/value=\"${CONTRIBUTOR_NAME}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update contributor name."; exit 1; }
+          sed --sandbox -i -e "/id=\"prNumber\"/s/value=\"[^\"]*\"/value=\"#${PR_NUMBER}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update PR number."; exit 1; }
+          sed --sandbox -i -e "/id=\"mergeDate\"/s/value=\"[^\"]*\"/value=\"${MERGE_DATE}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update merge date."; exit 1; }
 
       # Step 4: Setup Node.js environment
       - name: Setup Node.js
diff --git a/.github/workflows/machine-os-pr.yml b/.github/workflows/machine-os-pr.yml
@@ -82,8 +82,8 @@ jobs:
           VERS: ${{steps.getversion.outputs.version}}
         run: |
           update=$(printf 's/export PODMAN_VERSION=".*"/export PODMAN_VERSION="%s"/g\n' "$VERS")
-          sed -i "$update" podman-rpm-info-vars.sh
-          sed -i 's/export PODMAN_PR_NUM=".*"/export PODMAN_PR_NUM="${{github.event.number}}"/g' podman-rpm-info-vars.sh
+          sed --sandbox -i -e "$update" podman-rpm-info-vars.sh
+          sed --sandbox -i -e "s/export PODMAN_PR_NUM=\".*\"/export PODMAN_PR_NUM=\"${{github.event.number}}\"/g" podman-rpm-info-vars.sh
           echo "Updated file:"
           cat podman-rpm-info-vars.sh
 
diff --git a/.github/workflows/update-podmanio.yml b/.github/workflows/update-podmanio.yml
@@ -106,7 +106,7 @@ jobs:
           steps.checkpr.outputs.prexists == 'false'
         run: |
           # Replace the version in static/data/global.ts file
-          sed -i "s/export const LATEST_VERSION = '.*';/export const LATEST_VERSION = '${{ steps.getversion.outputs.version }}';/g" static/data/global.ts
+          sed --sandbox -i -e "s/export const LATEST_VERSION = '.*';/export const LATEST_VERSION = '${{ steps.getversion.outputs.version }}';/g" static/data/global.ts
           echo "Updated file:"
           cat static/data/global.ts
 
