From e6d5e67e3da89ad1144f26feba30948f9237710e Mon Sep 17 00:00:00 2001 From: abhizipstack Date: Wed, 8 Apr 2026 17:52:58 +0530 Subject: [PATCH 1/2] =?UTF-8?q?fix:=20release=20notification=20=E2=80=94?= =?UTF-8?q?=20secrets=20context=20and=20script=20injection?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Move secrets check from job-level if to step-level env (secrets context is not available in jobs..if — only github, inputs, needs, and vars are allowed) - Pass release event data via env variables instead of direct ${{ }} interpolation in run block to prevent script injection - Skip Slack post if no message was built Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/release-notification.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-notification.yml b/.github/workflows/release-notification.yml index 1987b1a..3114a53 100644 --- a/.github/workflows/release-notification.yml +++ b/.github/workflows/release-notification.yml @@ -7,11 +7,12 @@ on: jobs: notify: runs-on: ubuntu-latest - if: ${{ secrets.SLACK_WEBHOOK_URL != '' }} steps: - name: Build Slack message id: message + if: ${{ env.SLACK_WEBHOOK_URL != '' }} env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} TAG: ${{ github.event.release.tag_name }} RELEASE_NAME: ${{ github.event.release.name }} URL: ${{ github.event.release.html_url }} @@ -19,6 +20,7 @@ jobs: echo "text=🚀 *Visitran ${TAG}* released! ${RELEASE_NAME} <${URL}|View Release Notes>" >> "$GITHUB_OUTPUT" - name: Post to Slack + if: ${{ steps.message.outputs.text != '' }} uses: slackapi/slack-github-action@v2.1.0 with: webhook: ${{ secrets.SLACK_WEBHOOK_URL }} From 2bc148b093111d7058fad3195bb69d1023844424 Mon Sep 17 00:00:00 2001 From: abhizipstack Date: Wed, 8 Apr 2026 18:53:56 +0530 Subject: [PATCH 2/2] fix: build full JSON payload in shell to prevent JSON injection Use jq to build the Slack payload JSON in the shell step instead of interpolating untrusted values into the payload block. This ensures release names with quotes or backslashes produce valid JSON. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/release-notification.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release-notification.yml b/.github/workflows/release-notification.yml index 3114a53..0202224 100644 --- a/.github/workflows/release-notification.yml +++ b/.github/workflows/release-notification.yml @@ -8,7 +8,7 @@ jobs: notify: runs-on: ubuntu-latest steps: - - name: Build Slack message + - name: Build Slack payload id: message if: ${{ env.SLACK_WEBHOOK_URL != '' }} env: @@ -17,15 +17,14 @@ jobs: RELEASE_NAME: ${{ github.event.release.name }} URL: ${{ github.event.release.html_url }} run: | - echo "text=🚀 *Visitran ${TAG}* released! ${RELEASE_NAME} <${URL}|View Release Notes>" >> "$GITHUB_OUTPUT" + TEXT=$(printf '🚀 *Visitran %s* released! %s <%s|View Release Notes>' "$TAG" "$RELEASE_NAME" "$URL") + PAYLOAD=$(jq -nc --arg text "$TEXT" '{"text": $text}') + echo "payload=$PAYLOAD" >> "$GITHUB_OUTPUT" - name: Post to Slack - if: ${{ steps.message.outputs.text != '' }} + if: ${{ steps.message.outputs.payload != '' }} uses: slackapi/slack-github-action@v2.1.0 with: webhook: ${{ secrets.SLACK_WEBHOOK_URL }} webhook-type: incoming-webhook - payload: | - { - "text": "${{ steps.message.outputs.text }}" - } + payload: ${{ steps.message.outputs.payload }}