From eaa1adb3b2f138b31c97bdc3b87d8782f112c901 Mon Sep 17 00:00:00 2001
From: yihong <zouzou0208@gmail.com>
Date: Thu, 27 Feb 2025 10:20:04 +0800
Subject: [PATCH] ci: remove may expand into attacker-controllable code (#5407)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

### What problem does this PR solve?

_Briefly describe what this PR aims to solve. Include background context
that will help reviewers understand the purpose of the PR._

This patch remove dangerous code that `may expand into
attacker-controllable code`

more:

```cli
error[template-injection]: code injection via template expansion
  --> /Users/hyi/prs/ragflow/.github/workflows/tests.yml:35:9
   |
35 |         - name: Show PR labels
   |           ^^^^^^^^^^^^^^^^^^^^ this step
36 |           run: |
   |  _________^
37 | |           echo "Workflow triggered by ${{ github.event_name }}"
38 | |           if [[ ${{ github.event_name }} == 'pull_request' ]]; then
39 | |             echo "PR labels: ${{ join(github.event.pull_request.labels.*.name, ', ') }}"
40 | |           fi
   | |____________^ github.event.pull_request.labels.*.name may expand into attacker-controllable code
   |
   = note: audit confidence → High

```

using zizmor to check
https://woodruffw.github.io/zizmor/

but this patch do not fix them all, just remove high audit confidence →
High

### Type of change

- [ ] Bug Fix (non-breaking change which fixes an issue)
- [ ] New Feature (non-breaking change which adds functionality)
- [ ] Documentation Update
- [ ] Refactoring
- [ ] Performance Improvement
- [x] Other (please describe):

---------

Signed-off-by: yihong0618 <zouzou0208@gmail.com>
Co-authored-by: Zhichang Yu <yuzhichang@gmail.com>
---
 .github/workflows/tests.yml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 15e37109d..81e666edd 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -32,12 +32,9 @@ jobs:
       # https://github.com/hmarr/debug-action
       #- uses: hmarr/debug-action@v2
 
-      - name: Show PR labels
+      - name: Show who triggered this workflow
         run: |
           echo "Workflow triggered by ${{ github.event_name }}"
-          if [[ ${{ github.event_name }} == 'pull_request' ]]; then
-            echo "PR labels: ${{ join(github.event.pull_request.labels.*.name, ', ') }}"
-          fi
 
       - name: Ensure workspace ownership
         run: echo "chown -R $USER $GITHUB_WORKSPACE" && sudo chown -R $USER $GITHUB_WORKSPACE