From 0ed6885a65a1dcd9fc70c48fc1b3a1ae2eef6c23 Mon Sep 17 00:00:00 2001
From: Martin Schuppert <mschuppert@redhat.com>
Date: Mon, 22 Jun 2026 15:49:11 +0200
Subject: [PATCH] Remove tj-actions/branch-names from build workflow

Replace tj-actions/branch-names with github.ref_name which provides
the branch name natively without a third-party action. The tj-actions
GitHub namespace was compromised in March 2025 (CVE-2025-30066) and
using actions from that namespace is no longer recommended. Pass the
value via env: to avoid shell interpolation of untrusted input in
run: blocks.

Jira: OSPRH-31654

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Martin Schuppert <mschuppert@redhat.com>
---
 .github/workflows/build-test-operator.yaml | 30 +++++++++-------------
 1 file changed, 12 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/build-test-operator.yaml b/.github/workflows/build-test-operator.yaml
index 8097cff1..e6712071 100644
--- a/.github/workflows/build-test-operator.yaml
+++ b/.github/workflows/build-test-operator.yaml
@@ -32,14 +32,12 @@ jobs:
     steps:
     - uses: actions/checkout@v6
 
-    - name: Get branch name
-      id: branch-name
-      uses: tj-actions/branch-names@v9
-
     - name: Set latest tag for non main branch
-      if: "${{ steps.branch-name.outputs.current_branch != 'main' }}"
+      if: github.ref_name != 'main'
+      env:
+        BRANCH_NAME: ${{ github.ref_name }}
       run: |
-        echo "latesttag=${{ steps.branch-name.outputs.current_branch }}-latest" >> $GITHUB_ENV
+        echo "latesttag=${BRANCH_NAME}-latest" >> $GITHUB_ENV
 
     - name: Buildah Action
       id: build-test-operator
@@ -106,14 +104,12 @@ jobs:
         BASE_IMAGE: test-operator
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Get branch name
-      id: branch-name
-      uses: tj-actions/branch-names@v9
-
     - name: Set latest tag for non main branch
-      if: "${{ steps.branch-name.outputs.current_branch != 'main' }}"
+      if: github.ref_name != 'main'
+      env:
+        BRANCH_NAME: ${{ github.ref_name }}
       run: |
-        echo "latesttag=${{ steps.branch-name.outputs.current_branch }}-latest" >> $GITHUB_ENV
+        echo "latesttag=${BRANCH_NAME}-latest" >> $GITHUB_ENV
 
     - name: Build test-operator-bundle using buildah
       id: build-test-operator-bundle
@@ -143,14 +139,12 @@ jobs:
     - name: Checkout test-operator repository
       uses: actions/checkout@v6
 
-    - name: Get branch name
-      id: branch-name
-      uses: tj-actions/branch-names@v9
-
     - name: Set latest tag for non main branch
-      if: "${{ steps.branch-name.outputs.current_branch != 'main' }}"
+      if: github.ref_name != 'main'
+      env:
+        BRANCH_NAME: ${{ github.ref_name }}
       run: |
-        echo "latesttag=${{ steps.branch-name.outputs.current_branch }}-latest" >> $GITHUB_ENV
+        echo "latesttag=${BRANCH_NAME}-latest" >> $GITHUB_ENV
 
     - name: Install opm
       uses: redhat-actions/openshift-tools-installer@v1