From d2f332a7addb601f01fa871509806db8c933fa7f Mon Sep 17 00:00:00 2001
From: Ian Smith <ismith@github.com>
Date: Mon, 8 Dec 2025 11:09:28 -0800
Subject: [PATCH 1/2] Fix for code scanning alert no. 1035: Environment
 variable built from user-controlled sources

The concern is that the file in the artifact might be created by an attacker to inject values into the env var being set.

To address this vulnerability, we should strictly control the value of PR_NUMBER before it is written to $GITHUB_ENV. This means ensuring that:

- Only valid, single-line numeric data is used (since PR numbers are always positive integers).
- All potential for newlines, extra characters, or injection attacks is removed.
- explicitly validate that the value is non-empty and matches expectations
= Also, wrap the assignment in double quotes to further protect against expansion.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/publish-test-results.yml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish-test-results.yml b/.github/workflows/publish-test-results.yml
index d05ff09a8..b6530f531 100644
--- a/.github/workflows/publish-test-results.yml
+++ b/.github/workflows/publish-test-results.yml
@@ -35,10 +35,13 @@ jobs:
 
       - name: Extract PR Number
         run: |
-          eventjson=`cat 'artifacts/Event File/event.json'`
-          prnumber=`echo $(jq -r '.pull_request.number' <<< "$eventjson")`
-          echo "PR_NUMBER=$(echo $prnumber | tr -cd '0-9')" >> $GITHUB_ENV
-      
+          prnumber=$(jq -r '.pull_request.number' < 'artifacts/Event File/event.json')
+          sanitized_prnumber=$(echo "$prnumber" | grep -E '^[0-9]+$' || echo "")
+          if [ -n "$sanitized_prnumber" ]; then
+            echo "PR_NUMBER=$sanitized_prnumber" >> "$GITHUB_ENV"
+          else
+            echo "PR_NUMBER=" >> "$GITHUB_ENV"
+          fi
       - name: Publish Unit Test Results
         uses: EnricoMi/publish-unit-test-result-action@v2
         with:

From 093b7a16b2c106480fec1788497292cb22beb482 Mon Sep 17 00:00:00 2001
From: Ian Smith <ismith@github.com>
Date: Mon, 8 Dec 2025 11:30:53 -0800
Subject: [PATCH 2/2] Apply suggestions from code review

Co-authored-by: synthead <synthead@github.com>
---
 .github/workflows/publish-test-results.yml | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/publish-test-results.yml b/.github/workflows/publish-test-results.yml
index b6530f531..41283335c 100644
--- a/.github/workflows/publish-test-results.yml
+++ b/.github/workflows/publish-test-results.yml
@@ -36,12 +36,8 @@ jobs:
       - name: Extract PR Number
         run: |
           prnumber=$(jq -r '.pull_request.number' < 'artifacts/Event File/event.json')
-          sanitized_prnumber=$(echo "$prnumber" | grep -E '^[0-9]+$' || echo "")
-          if [ -n "$sanitized_prnumber" ]; then
-            echo "PR_NUMBER=$sanitized_prnumber" >> "$GITHUB_ENV"
-          else
-            echo "PR_NUMBER=" >> "$GITHUB_ENV"
-          fi
+          sanitized_prnumber=$(grep -E '^[0-9]+$' <<< "$prnumber")
+          echo "PR_NUMBER=$sanitized_prnumber" >> "$GITHUB_ENV"
       - name: Publish Unit Test Results
         uses: EnricoMi/publish-unit-test-result-action@v2
         with: