Skip to content

Fix auto-release workflow to checkout tested commit #42

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 19, 2025
Merged

Fix auto-release workflow to checkout tested commit #42

merged 1 commit into from
Oct 19, 2025

Conversation

@RAprogramm
Copy link
Owner

Closes #41

Problem

CodeQL identified P1 security issue in auto-release.yml:

This workflow is triggered by workflow_run after the CI job succeeds, but actions/checkout@v4 is invoked without a ref and therefore checks out whatever happens to be at main when the job starts. If another commit lands on main before this job begins (for example a version bump whose CI run is still in progress or even fails), the release pipeline will tag and publish that newer code despite it never having completed CI.

Impact

Critical race condition: If a new commit is pushed to main while auto-release is running, it will release untested code.

Scenario:

  1. Commit A pushed to main → CI starts
  2. Commit B pushed to main → CI starts
  3. Commit A CI succeeds → auto-release triggered
  4. auto-release checks out main HEAD (now Commit B)
  5. Commit B code is released without CI passing

Solution

Use github.event.workflow_run.head_sha to checkout the exact commit that passed CI:

- uses: actions/checkout@v4
  with:
    ref: ${{ github.event.workflow_run.head_sha }}  # ← ADDED
    fetch-depth: 0

Changes

Before:

- uses: actions/checkout@v4
  with:
    fetch-depth: 0

After:

- uses: actions/checkout@v4
  with:
    ref: ${{ github.event.workflow_run.head_sha }}
    fetch-depth: 0

Benefits

  • Security: Only tested commits are released
  • Correctness: Release matches CI-tested code
  • Reliability: No race conditions

Testing

  • Workflow syntax validated
  • CodeQL warning will be resolved
  • Will be tested on next release

References

@RAprogramm
#41 fix: checkout tested commit in auto-release workflow
785ab3a 
- Add ref: github.event.workflow_run.head_sha to checkout
- Ensures release is built from exact commit that passed CI
- Prevents releasing untested code if new commits land on main

This fixes CodeQL P1 security alert: workflow was checking out
current main HEAD instead of the commit that actually passed CI.
If another commit landed between CI success and release run,
untested code could be released.

Now workflow checks out the exact SHA that triggered it via
workflow_run event, ensuring only tested code is released.
@RAprogramm RAprogramm merged commit 281a728 into main Oct 19, 2025
3 checks passed
@RAprogramm RAprogramm deleted the 41 branch October 19, 2025 04:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fix auto-release workflow to checkout tested commit

1 participant

@RAprogramm