Skip to content

fix(ci): repair invalid contribution_approved workflow + harden untrusted inputs#55

Merged
Jose-Gael-Cruz-Lopez merged 1 commit into
mainfrom
fix/contribution-approved-workflow
Jul 4, 2026
Merged

fix(ci): repair invalid contribution_approved workflow + harden untrusted inputs#55
Jose-Gael-Cruz-Lopez merged 1 commit into
mainfrom
fix/contribution-approved-workflow

Conversation

@Jose-Gael-Cruz-Lopez

Copy link
Copy Markdown
Collaborator

Problem

contribution_approved.yml was an invalid workflow file and startup-failed on every event (visible as a string of failed push runs going back to commits before this work). The cause is on the "Comment on failure" step:

body: '... Error details: ${{ steps.process.outputs.error_message || steps.update_readme.outputs.error_message || "Unknown error" }}'

GitHub Actions expressions only allow single-quoted string literals; the double-quoted "Unknown error" is a syntax error that invalidates the whole file. Because the file never loaded, the manual contribution approval path never ran (the "Just Paste Link" flow uses the separate, healthy auto_extract.yml, so only manual New Hackathon / Close Hackathonapproved submissions were affected).

Fix

  1. Repair the syntax error — move error_message into env: and default to 'Unknown error' in JS. This also removes the script-injection into the github-script body flagged in [Critical] Security: GitHub Actions command & script injection via untrusted issue content #41.
  2. Harden the other injection sinks (they go live the moment the workflow starts running again): commit_message, contributor_name, and contributor_email now flow through env: and are referenced as quoted shell vars instead of ${{ }} interpolation into run:.
  3. No-op commit guard — an empty diff no longer fails the run and posts a spurious "error processing your contribution" comment.
  4. Least-privilege permissions: block added (contents: write, issues: write) — the file previously had none and fell back to the default token scopes.

Verification

  • YAML parses; no double-quoted literal remains inside any ${{ }}.
  • Pushing this branch produced no contribution_approved startup-failure for the commit, whereas prior branch pushes (with the broken file) did — confirming GitHub now accepts the file.

Out of scope (tracked in #41)

auto_extract.yml has the analogous commit_message injection on its own commit step. It's left untouched here to avoid risk to the primary, currently-working add-hackathon flow; it should get the same env: treatment as a follow-up.

Refs #41

🤖 Generated with Claude Code

…sted inputs

The 'Comment on failure' step used a double-quoted string literal ("Unknown error") inside a ${{ }} expression. GitHub Actions expressions only allow single-quoted literals, so the whole file was an invalid workflow — it startup-failed on every event and the manual-contribution approval path never ran.

Fixes:
- Move error_message into env: and default to 'Unknown error' in JS (fixes the syntax error AND removes the script-injection from #41).
- Move commit_message / contributor_name / contributor_email into env: and reference quoted shell vars (removes the command-injection sinks from #41 that go live once the workflow runs again).
- Add a git no-op guard so an empty diff no longer fails the run / posts a spurious failure comment.
- Add an explicit least-privilege permissions: block (contents+issues write).

Refs #41

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant