Skip to content

fix(ci): Harden workflows against shell injection and fix quoting issues #239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Tiryoh merged 2 commits into from
Apr 2, 2026
+24 −19
Merged

fix(ci): Harden workflows against shell injection and fix quoting issues #239

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
227902f
fix(ci): Harden workflows against shell injection and fix quoting issues
Tiryoh Apr 2, 2026
0963a9d
fix(ci): Restrict version-tag workflow to repository owner
Tiryoh Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions .github/scripts/update_changelog.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,27 +10,27 @@ fi

set -u

SRC_DIR=$(cd $(dirname ${BASH_SOURCE:-$0})/../../; pwd)
SRC_DIR=$(cd "$(dirname "${BASH_SOURCE:-$0}")"/../../; pwd)

generate_changelog() {
if [ $(git tag -l "v$1") ]; then
if [ "$(git tag -l "v$1")" ]; then
echo "git tag exists. re-generating CHANGELOG.md"
git-chglog--tag-filter-pattern="v.*\..*\..*" > CHANGELOG.md
git-chglog --tag-filter-pattern="v.*\..*\..*" > CHANGELOG.md
else
git tag v$1
git tag "v$1"
mv CHANGELOG.md CHANGELOG.md.bak
cat <(git-chglog --tag-filter-pattern="v.*\..*\..*" v$1) <(cat CHANGELOG.md.bak | grep -v "\[Unreleased\]" | grep -v 'name="unreleased"') > CHANGELOG.md
cat <(git-chglog --tag-filter-pattern="v.*\..*\..*" "v$1") <(cat CHANGELOG.md.bak | grep -v "\[Unreleased\]" | grep -v 'name="unreleased"') > CHANGELOG.md
rm CHANGELOG.md.bak
git tag -d v$1 > /dev/null
git tag -d "v$1" > /dev/null
fi
}

cd $SRC_DIR
cd "$SRC_DIR"
git fetch --tags -f
git checkout main
git pull origin main
if [[ -z "$(git tag -l)" ]]; then
echo no tags found
exit 1
fi
generate_changelog $1
generate_changelog "$1"
24 changes: 14 additions & 10 deletions .github/workflows/check-release-condition.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,28 +14,32 @@ jobs:
PR_TITLE: ${{ github.event.pull_request.title }}
id: release
run: |
echo $PR_TITLE | grep -E "release:? v[0-9\-\.]*" || exit 1
VERSION=$(echo $PR_TITLE | sed -E 's/.* (v[0-9\-\.]*)/\1/g')
echo $VERSION
echo ::set-output name=version::$VERSION
echo "$PR_TITLE" | grep -E "^release:? v[0-9]+(\.[0-9]+)*$" || exit 1
VERSION=$(echo "$PR_TITLE" | sed -nE 's/^release:? (v[0-9]+(\.[0-9]+)*)$/\1/p')
echo "$VERSION"
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
- name: Dump poetry version
id: poetry
run: |
VERSION=$(grep version pyproject.toml | sed -E 's/.* "([0-9\-\.]*)"/v\1/g')
echo $VERSION
echo ::set-output name=version::$VERSION
echo "$VERSION"
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
- name: Check version
env:
RELEASE_VERSION: ${{ steps.release.outputs.version }}
POETRY_VERSION: ${{ steps.poetry.outputs.version }}
run: |
if [[ "${{ steps.release.outputs.version }}" == "${{ steps.poetry.outputs.version }}" ]]; then
if [[ "$RELEASE_VERSION" == "$POETRY_VERSION" ]]; then
echo "VERSION MATCH"
else
echo "VERSION MISMATCH"
exit 1
fi
- name: Check CHANGELOG
env:
RELEASE_VERSION: ${{ steps.release.outputs.version }}
run: |

if [[ $(grep "${{ steps.release.outputs.version }}" CHANGELOG.md) == "" ]]; then
echo "VERSION MISMATCH"
if ! grep -Fq "$RELEASE_VERSION" CHANGELOG.md; then
echo "VERSION NOT FOUND IN CHANGELOG"
exit 1
fi
3 changes: 2 additions & 1 deletion .github/workflows/version-tag.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,13 @@ on:
jobs:
version-tag:
runs-on: ubuntu-latest
if: github.actor == github.repository_owner
Comment on lines 8 to +9
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new job-level condition if: github.actor == github.repository_owner is a behavior change that will skip this workflow for tag pushes made by non-owner maintainers or automation (e.g., github-actions[bot]). If major/minor tag updates are expected to run for tag pushes created by CI or by collaborators with tag permissions, consider broadening/adjusting the condition (or documenting why only the repository owner should be allowed).

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Owner Author

@Tiryoh Tiryoh Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is intentional. In this repository, only the repository owner pushes version tags. The same restriction pattern is already applied to the release-candidate workflow.

steps:
- name: checkout
uses: actions/checkout@v6
- name: tag
run: |
git remote set-url origin https://${{ secrets.GITHUB_TOKEN }}@github.com/${GITHUB_REPOSITORY}.git
git remote set-url origin "https://${{ secrets.GITHUB_TOKEN }}@github.com/${GITHUB_REPOSITORY}.git" 2>/dev/null
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Redirecting git remote set-url stderr to /dev/null prevents potential token leakage, but it also removes actionable diagnostics if the command fails (the step will just error with no context). A safer approach is to avoid embedding the token in the remote URL at all (actions/checkout typically already configures authenticated remotes), or capture stderr and re-emit a sanitized failure message without the URL/token.

Suggested change
git remote set-url origin "https://${{ secrets.GITHUB_TOKEN }}@github.com/${GITHUB_REPOSITORY}.git" 2>/dev/null

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Owner Author

@Tiryoh Tiryoh Apr 2, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed the stderr suppression. GITHUB_TOKEN is scoped to the job and expires on completion, so token leakage in error logs is not a practical risk. Keeping diagnostic output is more valuable.

git tag $(basename ${TAG%.*.*})
git tag $(basename ${TAG%.*})
git push origin -f --tags
Expand Down
Loading