workflows/eval: avoid potential script injection attack

Although matrix.system is supposed to be generated from trusted code, we'd better follow [Github Actions good practices][1]. [1]: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
NixOS · Nov 20, 2024 · f807208 · f807208
1 parent 516819d
commit f807208
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml
@@ -85,9 +85,11 @@ jobs:
         uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
 
       - name: Evaluate the ${{ matrix.system }} output paths for all derivation attributes
+        env:
+          MATRIX_SYSTEM: ${{ matrix.system }}
         run: |
           nix-build nixpkgs/ci -A eval.singleSystem \
-            --argstr evalSystem ${{ matrix.system }} \
+            --argstr evalSystem "$MATRIX_SYSTEM" \
             --arg attrpathFile ./paths/paths.json \
             --arg chunkSize 10000
           # If it uses too much memory, slightly decrease chunkSize