fix: composite action input pollution (#2348)

* fix: composite action input pollution * fix run steps * fix missing defaults in post after env cleanup * fix test to make more sense * Add tests and simplify change --------- Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
2024-06-05 16:44:44 +02:00
parent b917ecc184
commit b5ad3c4acd
16 changed files with 182 additions and 0 deletions
--- a/pkg/runner/step.go
+++ b/pkg/runner/step.go
@@ -239,6 +239,16 @@ func mergeEnv(ctx context.Context, step step) {
 	}

 	rc.withGithubEnv(ctx, step.getGithubContext(ctx), *env)
+
+	if step.getStepModel().Uses != "" {
+		// prevent uses action input pollution of unset parameters, skip this for run steps
+		// due to design flaw
+		for key := range *env {
+			if strings.Contains(key, "INPUT_") {
+				delete(*env, key)
+			}
+		}
+	}
 }

 func isStepEnabled(ctx context.Context, expr string, step step, stage stepStage) (bool, error) {