Skip to content

Latest commit

 

History

History
61 lines (49 loc) · 1.66 KB

if_always_true.md

File metadata and controls

61 lines (49 loc) · 1.66 KB
title slug url rule severity
If condition always evaluates to true
if_always_true
/rules/if_always_true/
if_always_true
error

Description

GitHub Actions expressions used in if condition of jobs or steps must not contain extra characters or spaces. Otherwise, the condition is always evaluated to true.

This can lead to logic bugs and possibly expose parts of the workflow only meant to be executed in secure contexts.

Remediation

Recommended

name: Conditionally process PR

on:
  pull_request_target:
    types: [opened, synchronize, reopened]

jobs:
  process-pr:
    runs-on: ubuntu-latest
    steps:
      - name: Auto-format markdown files
        if: github.actor == 'torvalds' || github.actor == 'dependabot[bot]'
        uses: messypoutine/actionable/.github/actions/auto-format@0108c4ec935a308435e665a0e9c2d1bf91e25685 # v1.0.0

Anti-Pattern

name: Conditionally process PR

on:
  pull_request_target:
    types: [opened, synchronize, reopened]

jobs:
  process-pr:
    runs-on: ubuntu-latest
    steps:
      - name: Auto-format markdown files
        if: |
          ${{ 
              github.actor == 'torvalds' || 
              github.actor == 'dependabot[bot]'
          }}
        uses: messypoutine/actionable/.github/actions/auto-format@0108c4ec935a308435e665a0e9c2d1bf91e25685 # v1.0.0

See Also