ci(release-auto): pass release title via env var (fix quote/;-injection)#293
Merged
Conversation
The 'Create tag + GitHub Release' step interpolated the CHANGELOG-derived title
straight into the run: script via ${{ steps.notes.outputs.title }}. Because the
title carries double quotes (the "Codename" plus any quoted phrase) and shell
metacharacters (';', '(', ')'), splicing it into the command text broke shell
quoting: a codename-only header merely had its quotes stripped, but v2.1.7's
header — '... honest DMA "unexpected read" residual ADR 0033; "Stepping")' —
split the quoted phrase into bare words and the shell read the ';' as a command
separator, then globbed 'Stepping)' → 'no matches found', failing the whole
auto-release (v2.1.7 never got tagged; published manually).
Fix: pass the tag, target, title, and body-file through the step 'env:' and
reference them as shell variables ("$RELEASE_TITLE" etc.). Env-var expansion
is quote-safe, so the release title keeps its real quotes and any header content
is handled literally — no injection, no glob, no separator surprises. Protects
every remaining v2.1.x release cut.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
There was a problem hiding this comment.
Pull request overview
This PR fixes a GitHub Actions release automation failure mode where a CHANGELOG-derived release title containing quotes and shell metacharacters could break the gh release create command due to unsafe ${{ ... }} interpolation directly into the run: script.
Changes:
- Routes dynamic values (tag, target SHA, title, notes file) through step-level
env:and references them via shell variables in thegh release createcommand. - Adds explanatory comments documenting the injection/quoting failure mode and the rationale for the environment-variable approach.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the root cause of v2.1.7 failing to auto-publish.
release-auto.yml's "Create tag + GitHub Release" step interpolated the CHANGELOG-derived title directly into therun:script via--title "${{ steps.notes.outputs.title }}". Because that title carries double quotes (the"Codename"+ any quoted phrase) and shell metacharacters, splicing it into the command text broke quoting:"Fathom" … "Timbre") merely had its quotes stripped (no error, mangled title).… honest DMA "unexpected read" residual ADR 0033; "Stepping")— split the quoted multi-word phrase into bare words, the shell read the;as a command separator, andStepping)globbed →no matches found→ the auto-release failed. v2.1.7 was published manually.Fix: pass tag / target / title / body-file through the step
env:and reference them as shell variables ("$RELEASE_TITLE"…). Env-var expansion is quote-safe — titles keep their real quotes and any header content is handled literally. Protects the remaining v2.1.9 / v2.1.10 / v2.2.0 cuts.No behavior change beyond correct/safe titles; YAML validated.
🤖 Generated with Claude Code