From 6b34118b984b3ef41dcb821e9fa125969ab17e5f Mon Sep 17 00:00:00 2001
From: Dmytro <45358107+dumitory-dev@users.noreply.github.com>
Date: Thu, 19 Mar 2026 17:42:12 +0200
Subject: [PATCH] fix(security): replace github.event expressions with env
variables in telegram-bot workflow
---
.github/workflows/telegram-bot.yml | 31 ++++++++++++++++++------------
1 file changed, 19 insertions(+), 12 deletions(-)
diff --git a/.github/workflows/telegram-bot.yml b/.github/workflows/telegram-bot.yml
index ab42721c..10142fe0 100644
--- a/.github/workflows/telegram-bot.yml
+++ b/.github/workflows/telegram-bot.yml
@@ -17,12 +17,18 @@ jobs:
name: Send comment to TG
runs-on: ubuntu-latest
env:
+ EVENT_ACTION: ${{ github.event.action }}
+ HAS_PULL_REQUEST: ${{ github.event.pull_request != null }}
+ HAS_COMMENT: ${{ github.event.comment != null }}
+ HAS_REVIEW: ${{ github.event.review != null }}
+ HAS_WORKFLOW_RUN: ${{ github.event.workflow_run != null }}
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
PR_NAME: ${{ github.event.pull_request.title }}
PR_BASE: ${{ github.event.pull_request.base.ref }}
PR_URL: ${{ github.event.pull_request.html_url }}
PR_NUMBER: ${{ github.event.pull_request.number }}
PR_MERGED: ${{ github.event.pull_request.merged_by.login }}
+ PR_IS_MERGED: ${{ github.event.pull_request.merged }}
REVIEW_STATE: ${{ github.event.review.state }}
REVIEW_AUTHOR: ${{ github.event.review.user.login }}
REVIEW_COMMENT: ${{ github.event.review.body }}
@@ -34,43 +40,44 @@ jobs:
UNIVERUM_COMMIT: ${{ github.event.workflow_run.head_sha }}
UNIVERSUM_BRANCH: ${{ github.event.workflow_run.head_branch }}
UNIVERSUM_LOG: ${{ github.event.workflow_run.html_url }}
+ WORKFLOW_CONCLUSION: ${{ github.event.workflow_run.conclusion }}
steps:
- name: Send message to TG
run: |
- if [[ ! -z "${{ github.event.pull_request }}" && "${{ github.event.action }}" == "opened" ]]; then
+ if [[ "$HAS_PULL_REQUEST" == "true" && "$EVENT_ACTION" == "opened" ]]; then
ESCAPED_NAME=`echo -e "$PR_NAME" | sed 's/\&/\&/g' | sed 's//\>/g'`
TEXT=`echo -e ""$PR_AUTHOR" created new PR#"$PR_NUMBER" '"$ESCAPED_NAME"' to branch '"$PR_BASE"'"`
- elif [[ ! -z "${{ github.event.pull_request }}" && "${{ github.event.action }}" == "synchronize" ]]; then
+ elif [[ "$HAS_PULL_REQUEST" == "true" && "$EVENT_ACTION" == "synchronize" ]]; then
TEXT=`echo -e ""$PR_AUTHOR" updated PR#"$PR_NUMBER""`
- elif [[ ! -z "${{ github.event.pull_request }}" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true" ]]; then
+ elif [[ "$HAS_PULL_REQUEST" == "true" && "$EVENT_ACTION" == "closed" && "$PR_IS_MERGED" == "true" ]]; then
TEXT=`echo -e ""$PR_MERGED" merged PR#"$PR_NUMBER" to branch '"$PR_BASE"'"`
- elif [[ ! -z "${{ github.event.pull_request }}" && "${{ github.event.action }}" == "closed" ]]; then
+ elif [[ "$HAS_PULL_REQUEST" == "true" && "$EVENT_ACTION" == "closed" ]]; then
TEXT=`echo -e ""$PR_AUTHOR" closed PR#"$PR_NUMBER""`
- elif [[ ! -z "${{ github.event.comment }}" ]]; then
+ elif [[ "$HAS_COMMENT" == "true" ]]; then
ESCAPED_TEXT=`echo -e "$COMMENT_BODY"| sed 's/\&/\&/g' | sed 's//\>/g'`
- if [[ ! -z "${{ github.event.pull_request }}" ]]; then
+ if [[ "$HAS_PULL_REQUEST" == "true" ]]; then
TEXT=`echo -e ""$COMMENT_AUTHOR" posted the following comment to file "$COMMENT_FILE" in PR#"$PR_NUMBER":\n"$ESCAPED_TEXT""`
else
TEXT=`echo -e ""$COMMENT_AUTHOR" posted the following comment to issue #"$COMMENT_NUMBER":\n"$ESCAPED_TEXT""`
fi
- elif [[ ! -z "${{ github.event.review }}" && "$REVIEW_STATE" == "changes_requested" ]]; then
+ elif [[ "$HAS_REVIEW" == "true" && "$REVIEW_STATE" == "changes_requested" ]]; then
TEXT=`echo -e ""$REVIEW_AUTHOR" requested changes for PR#"$PR_NUMBER""`
- elif [[ ! -z "${{ github.event.review }}" && "$REVIEW_STATE" == "commented" && ! -z "$REVIEW_COMMENT" ]]; then
+ elif [[ "$HAS_REVIEW" == "true" && "$REVIEW_STATE" == "commented" && ! -z "$REVIEW_COMMENT" ]]; then
ESCAPED_TEXT=`echo -e "$REVIEW_COMMENT"| sed 's/\&/\&/g' | sed 's//\>/g'`
TEXT=`echo -e ""$REVIEW_AUTHOR" posted the following comment to PR#"$PR_NUMBER":\n"$ESCAPED_TEXT""`
- elif [[ ! -z "${{ github.event.review }}" && "$REVIEW_STATE" != "commented" ]]; then
+ elif [[ "$HAS_REVIEW" == "true" && "$REVIEW_STATE" != "commented" ]]; then
TEXT=`echo -e ""$REVIEW_AUTHOR" "$REVIEW_STATE" PR#"$PR_NUMBER""`
- elif [[ -z "${{ github.event.review }}" && "${{ github.event.action }}" == "submitted" ]]; then
+ elif [[ "$HAS_REVIEW" != "true" && "$EVENT_ACTION" == "submitted" ]]; then
TEXT=`echo -e "Due to GitHub Actions bug we cannot identify, who approved PR#"$PR_NUMBER""`
- elif [[ ! -z "${{ github.event.workflow_run }}" && "${{ github.event.workflow_run.conclusion }}" == "success" ]]; then
+ elif [[ "$HAS_WORKFLOW_RUN" == "true" && "$WORKFLOW_CONCLUSION" == "success" ]]; then
ESCAPED_TEXT=`echo -e "$UNIVERSUM_BRANCH"| sed 's/\&/\&/g' | sed 's//\>/g'`
TEXT=`echo -e "Universum run for branch "$ESCAPED_TEXT" SUCCEDED; commit "$UNIVERUM_COMMIT" "`
- elif [[ ! -z "${{ github.event.workflow_run }}" && "${{ github.event.workflow_run.conclusion }}" == "failure" ]]; then
+ elif [[ "$HAS_WORKFLOW_RUN" == "true" && "$WORKFLOW_CONCLUSION" == "failure" ]]; then
ESCAPED_TEXT=`echo -e "$UNIVERSUM_BRANCH"| sed 's/\&/\&/g' | sed 's//\>/g'`
TEXT=`echo -e "Universum run for branch "$ESCAPED_TEXT" FAILED; commit "$UNIVERUM_COMMIT" "`
fi