fix(ci): validate patch-release version input#41
Merged
BunsDev merged 1 commit intoJun 6, 2026
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens the patch-release GitHub Actions workflow against command-substitution injection by validating the user-supplied tag and ensuring the tag/note are not interpolated directly into shell scripts.
Changes:
- Introduces a workflow-level
PATCH_RELEASE_VERSIONenv var and validates it early against a SemVer-like tag regex before running privileged steps. - Replaces direct
${{ inputs.version }}usage insiderun:blocks with quoted$PATCH_RELEASE_VERSION. - Moves
patch_noteuse in the summary step into an env var (PATCH_RELEASE_NOTE) to avoid expression interpolation inside the summary shell.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| - name: Validate version input | ||
| run: | | ||
| if [[ ! "$PATCH_RELEASE_VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9.-]+)?$ ]]; then |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
patch-releaseworkflow accepted an arbitraryworkflow_dispatchversionstring and interpolated it directly intorunscripts, enabling command-substitution injection that can readGH_TOKENand tamper with release assets.Description
PATCH_RELEASE_VERSIONenv var and a preflight validation step that enforces the tag regex^v[0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9.-]+)?$in.github/workflows/patch-release.ymlbefore any privileged operations run."${{ inputs.version }}"interpolation insiderun:blocks with the quoted environment variable$PATCH_RELEASE_VERSIONto avoid GitHub Actions expression pre-interpolation into the shell.patch_noteusage into an environment variable (PATCH_RELEASE_NOTE) for the summary block and leftinputs.patch_noteonly where it is safe for non-shell use (action inputs/env)..github/workflows/patch-release.ymland preserve existing functionality while removing the command-injection surface.Testing
git diff --checkwith no whitespace or syntax issues and committed the change. (passed)v1.2.3,v1.2.3-rc.1) and reject payloads that include command-substitution such asv0.1.0$(touch /tmp/coven-injected). (passed)inputs.versionorinputs.patch_noteinterpolation insiderunblocks. (passed)Codex Task