Skip to content

v2.18.19

Choose a tag to compare

@github-actions github-actions released this 05 Jul 19:37
v2.18.19
1c4bb65

v2.18.19 Release Summary

This patch release includes several important security and validation fixes.

Security fixes

  • Added validation for Git repository URLs to prevent Git option injection.
  • Added --end-of-options to Git commands to make repository URL and branch handling safer.
  • Fixed branch override handling: task-level Git branch override is now applied only when the template explicitly allows it.
  • Prevented custom roles from shadowing built-in role slugs such as owner or manager.
  • Fixed permission resolution so built-in roles always use their built-in permissions instead of database-defined custom roles.
  • Added validation to prevent access keys from being updated with a different ID or moved to another project.

Reliability and tests

  • Added tests for Git URL validation and Git command injection protection.
  • Added tests for access key update validation.
  • Added tests for custom role validation and reserved role slugs.
  • Refactored Git branch resolution into a dedicated helper to make task behavior more consistent.