fix: release notification secrets context and script injection

[abhizipstack]

What

• Fix secrets context usage in release notification workflow
• Fix script injection in run: block
• Add skip guard on Slack post step

Why

• secrets context is not available in jobs.<id>.if (only github, inputs, needs, vars allowed) — actionlint was failing
• Direct ${{ }} interpolation of release event data in run: block is a script injection risk
• Slack post step should skip cleanly when no webhook is configured

How

• Moved secrets.SLACK_WEBHOOK_URL check from job-level if to step-level env guard
• Pass release event data (TAG, RELEASE_NAME, URL) via env: variables instead of inline ${{ }} in shell
• Added if: ${{ steps.message.outputs.text != '' }} on "Post to Slack" step

Can this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)

• No — workflow-only change. Release notification behavior is unchanged; it now correctly skips when no Slack webhook is configured instead of failing at job-level.

Database Migrations

• None

Env Config

• None — uses existing SLACK_WEBHOOK_URL secret

Relevant Docs

• N/A

Related Issues or PRs

• Fixes actionlint failure introduced in PR feat: add stale bot and release notification workflows #42

Dependencies Versions

• None

Notes on Testing

• Verify pre-commit.ci actionlint passes
• Verify release notification works when Slack webhook is configured

Screenshots

N/A

Checklist

• I have read and understood the Contribution Guidelines.

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR fixes three security/correctness issues in the .github/workflows/release-notification.yml workflow that were introduced in PR #42:

1. secrets context in job-level if: — moved the SLACK_WEBHOOK_URL check from job-level (where secrets context is unavailable) to a step-level env: guard, which is the recommended GitHub Actions pattern.
2. Script injection — replaced inline ${{ github.event.release.* }} interpolation directly in the run: block with env: variables ($TAG, $RELEASE_NAME, $URL), eliminating the injection vector.
3. Skip guard on "Post to Slack" — added if: ${{ steps.message.outputs.payload != '' }} so the step cleanly skips when the webhook secret is not configured.

The fixes are minimal and well-targeted. One minor discrepancy: the PR description's "How" section says the guard uses steps.message.outputs.text, but the actual code correctly gates on steps.message.outputs.payload — matching what the "Build Slack payload" step actually outputs.

Confidence Score: 5/5

Safe to merge — all changes are workflow-only, correctly fix the reported actionlint failures and script-injection risk, and introduce no new issues.

All three stated fixes are correctly implemented: the secrets-context misuse is resolved via the step-level env guard (a recommended GitHub Actions pattern), release event data is safely passed through env variables and jq --arg to prevent injection, and the Slack post step has a proper skip guard. No P0 or P1 findings remain.

No files require special attention.

Vulnerabilities

No security concerns identified. The PR actively improves security by eliminating a script-injection risk: release event data (tag_name, name, html_url) is now passed through env: variables and then via jq --arg (which escapes values properly), rather than being interpolated directly with ${{ }} in the run: shell block.

Important Files Changed

Filename	Overview
.github/workflows/release-notification.yml	Correctly fixes secrets-context misuse, script injection via env: variables, and adds a skip guard on the Slack post step. No remaining issues.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Release Event
    participant Step1 as Build Slack Payload
    participant Step2 as Post to Slack
    participant Slack as Slack Webhook

    GH->>Step1: release published (tag_name, name, html_url)
    Note over Step1: if: env.SLACK_WEBHOOK_URL != ''
    alt SLACK_WEBHOOK_URL secret is set
        Step1->>Step1: env vars TAG, RELEASE_NAME, URL bound from secrets/event
        Step1->>Step1: printf → TEXT, jq --arg → PAYLOAD (JSON-safe)
        Step1-->>Step2: outputs.payload = JSON string
        Note over Step2: if: steps.message.outputs.payload != ''
        Step2->>Slack: POST webhook with payload
    else SLACK_WEBHOOK_URL secret is empty
        Step1-->>Step2: skipped (outputs.payload = '')
        Note over Step2: skipped — no webhook configured
    end

Loading

_{Reviews (2): Last reviewed commit: "fix: build full JSON payload in shell to..." | Re-trigger Greptile}

[wicky-zipstack]

LGTM

[tahierhussain]

LGTM

Note: Please make sure to address the security issue raised by Greptile.

[abhizipstack]

Greptile P1 addressed in 2bc148b — full JSON payload is now built in the shell step using jq which properly escapes all values. No untrusted data is interpolated in the payload: block anymore.