On Thu, May 07, 2020 at 12:53:09PM -0700, Junio C Hamano wrote:
> Jeff King <peff@xxxxxxxx> writes:
>
> > + - id: check-ref
> > + name: check whether CI is enabled for ref
> > + run: |
> > + enabled=yes
> > + if test -x config-repo/ci/config/allow-ref &&
> > + ! config-repo/ci/config/allow-ref '${{ github.ref }}'
>
> Is it deliberate that the output from the script is not redirected
> to >/dev/null, which would mean they are allowed to do something
> that looks like:
>
> echo "::set-output name=enabled::frotz"
>
> or emit other random ::string-that-affects-github-actions to its
> standard output stream?
It was deliberate in the sense that I would allow them to write useful
messages to the Actions log. If they want to do nonsense like
"::set-output", then it's their foot and their gun.
I don't know if Actions distinguishes between stdout and stderr here
(i.e., if we redirected the script's stdout to stderr, would that
prevent this case or not?).
-Peff
