[llvm] [Github] Fix security issues in libcxx-run-benchmarks.yml workflow (PR #158467)

Aiden Grossman via llvm-commits llvm-commits at lists.llvm.org
Sun Sep 14 01:11:01 PDT 2025 

https://github.com/boomanaiden154 created https://github.com/llvm/llvm-project/pull/158467

There was one action dependency that was not hash pinned and this workflow also allowed code injection as the input might not be properly escaped when dumped into the run script.

>From 7963c8566a1ec9f1aba0e746b09aea6b49583c40 Mon Sep 17 00:00:00 2001
From: Aiden Grossman <aidengrossman at google.com>
Date: Sun, 14 Sep 2025 08:09:20 +0000
Subject: [PATCH] [Github] Fix security issues in libcxx-run-benchmarks.yml
 workflow

There was one action dependency that was not hash pinned and this
workflow also allowed code injection as the input might not be properly
escaped when dumped into the run script.
---
 .github/workflows/libcxx-run-benchmarks.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/libcxx-run-benchmarks.yml b/.github/workflows/libcxx-run-benchmarks.yml
index 5714600b63a5e..17a97df029ba5 100644
--- a/.github/workflows/libcxx-run-benchmarks.yml
+++ b/.github/workflows/libcxx-run-benchmarks.yml
@@ -33,12 +33,14 @@ jobs:
 
     runs-on: llvm-premerge-libcxx-next-runners # TODO: This should run on a dedicated set of machines
     steps:
-      - uses: actions/setup-python at v6
+      - uses: actions/setup-python at e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: '3.10'
 
       - name: Extract information from the PR
         id: vars
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body }}
         run: |
           python3 -m venv .venv
           source .venv/bin/activate
@@ -51,7 +53,7 @@ jobs:
           print(f"pr_base={pr.base.sha}")
           print(f"pr_head={pr.head.sha}")
           EOF
-          BENCHMARKS=$(echo "${{ github.event.comment.body }}" | sed -nE 's/\/libcxx-bot benchmark (.+)/\1/p')
+          BENCHMARKS=$(echo "$COMMENT_BODY" | sed -nE 's/\/libcxx-bot benchmark (.+)/\1/p')
           echo "benchmarks=${BENCHMARKS}" >> ${GITHUB_OUTPUT}
 
       - uses: actions/checkout at 08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

More information about the llvm-commits mailing list