Skip to content

fix: add github actions to verify PR name #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 8, 2025
Merged

fix: add github actions to verify PR name #24

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b49a4ad
add github actions to verify PR name
mateuszJS Jul 8, 2025
e0fb8d3
update comment
mateuszJS Jul 8, 2025
1054098
add more triggers
mateuszJS Jul 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions .github/workflows/pr-name.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Pull Request Name
on:
pull_request:
types: [opened, edited, synchronize, reopened]
branches:
- next

jobs:
pull_request_name:
runs-on: ubuntu-latest
steps:
- name: Obtain PR name
run: echo "PR_TITLE=${{ github.event.pull_request.title }}" >> $GITHUB_ENV
Comment on lines +12 to +13
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Shell-injection risk when echoing untrusted PR titles

github.event.pull_request.title is fully user-controlled. By interpolating it straight into an echo that writes to $GITHUB_ENV, a malicious title containing new-lines or command substitutions could inject additional environment variables or even arbitrary shell commands.

Use the workflow-native env: mapping (or id + outputs) to avoid hitting the shell at all:

-      - name: Obtain PR name
-        run: echo "PR_TITLE=${{ github.event.pull_request.title }}" >> $GITHUB_ENV
+      - name: Set PR title env
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+        run: echo "PR_TITLE captured"

This keeps the data path entirely inside the runner’s metadata expansion and eliminates injection vectors.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Obtain PR name
run: echo "PR_TITLE=${{ github.event.pull_request.title }}" >> $GITHUB_ENV
- name: Set PR title env
env:
PR_TITLE: ${{ github.event.pull_request.title }}
run: echo "PR_TITLE captured"
🧰 Tools
🪛 actionlint (1.7.7)

12-12: "github.event.pull_request.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions for more details

(expression)

🤖 Prompt for AI Agents 
In .github/workflows/pr-name.yml at lines 11-12, avoid using echo with direct
interpolation of github.event.pull_request.title to set PR_TITLE due to shell
injection risk. Instead, use the workflow-native env: mapping to assign PR_TITLE
safely without invoking the shell, for example by defining PR_TITLE under env:
in the step or using outputs with id to pass the title securely.

- name: Verify PR name
uses: actions/github-script@v6
with:
script: |
if (!/^(fix|feat|perf):/.test(process.env.PR_TITLE)) {
throw new Error(`Please start the PR title with "fix:", "feat:" or "perf:". Current title: "${process.env.PR_TITLE}"`);
}
Loading