Skip to content

chore(release): secure workflows against shell injection#3895

Merged
rickeylev merged 1 commit into
bazel-contrib:mainfrom
rickeylev:fix-workflow-injection
Jul 3, 2026
Merged

chore(release): secure workflows against shell injection#3895
rickeylev merged 1 commit into
bazel-contrib:mainfrom
rickeylev:fix-workflow-injection

Conversation

@rickeylev

@rickeylev rickeylev commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Pass workflow inputs as environment variables instead of expanding them directly in run scripts to prevent shell injection.

The shell expansions were guarded by collaborator checks, but best to prevent
any type of injection.

- Modify `release_create_rc.yaml`, `release_prepare.yaml`, `release_process_backports.yaml`, and `release_promote_rc.yaml` to pass workflow inputs as environment variables instead of expanding them directly in inline bash scripts.
- This prevents potential shell injection vulnerabilities if inputs contain shell metacharacters.
@rickeylev rickeylev requested a review from aignas as a code owner July 3, 2026 08:27
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@rickeylev rickeylev changed the title fix(release): secure workflows against shell injection chore(release): secure workflows against shell injection Jul 3, 2026
@rickeylev rickeylev merged commit d77d5a4 into bazel-contrib:main Jul 3, 2026
8 of 10 checks passed
@rickeylev rickeylev deleted the fix-workflow-injection branch July 3, 2026 15:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant