Skip to content

Add link to new member playbook to auto-generated PRs #319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add link to new member playbook to auto-generated PRs #319

wants to merge 2 commits into from

Conversation

@tim-schilling
Copy link
Member

@tim-schilling tim-schilling commented Nov 14, 2025

I always end up having to revisit the rest of the playbook to remember the next steps. This saves me a few keystrokes 😁

@tim-schilling
Add link to new member playbook to auto-generated PRs
cdeafd8 
I always end up having to revisit the rest of the playbook to remember the next steps. This saves me a few keystrokes 😁
@tim-schilling tim-schilling requested a review from a team as a code owner November 14, 2025 12:45
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 14, 2025
View reviewed changes
@ryancheley
Copy link
Member

ryancheley commented Nov 15, 2025

There was a zizmor warning that I was able to fix with zizmor --fix=all .github/workflows/add_member.yml and push up. Otherwise looks good to me.

tim-schilling
tim-schilling commented Nov 17, 2025
View reviewed changes
.github/workflows/add_member.yml
Comment on lines +44 to +46
ISSUE_USER: ${{ env.ISSUE_USER }}
USERNAME: ${{ env.USERNAME }}
ISSUE_NUMBER: ${{ env.ISSUE_NUMBER }}
Copy link
Member Author

@tim-schilling tim-schilling Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something seems off here. Either we don't need to make these re-assignments, or we're no longer capturing the proper data.

Copy link
Member

@ryancheley ryancheley Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I understand. What zizmor was pointing out in was that the environment variables could be exposed to injection via shell expansion. By refactoring this was that risk is mitigated. I'm seeing all of the variables being used below ... feels like I'm missing something now 😄

Copy link
Member

@Stormheg Stormheg Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems correct to me. By makings these reassignments and using them like this, it stops injection attacks.

It does look a bit weird and unnecessary on first glance, but it is absolutely on purpose 😄

Copy link
Member Author

@tim-schilling tim-schilling Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Stormheg can you link me to something that explains that? I don't understand why we're putting something into the environment when it's already in the environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ryancheley ryancheley ryancheley left review comments

@Stormheg Stormheg Stormheg left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tim-schilling @ryancheley @Stormheg