Skip to content

Commit deb91ac

Browse files
olivermeyerolivermeyer
committed
fix(ci): prevent script injection in package-publish workflow
1 parent 835e5ab commit deb91ac

File tree

1 file changed

+14
-6
lines changed

1 file changed

+14
-6
lines changed

.github/workflows/_package-publish.yml

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -167,7 +167,9 @@ jobs:
167167

168168
- name: Print the release notes
169169
shell: bash
170-
run: cat "${{ steps.git-cliff.outputs.changelog }}"
170+
env:
171+
GIT_CLIFF_CHANGELOG: ${{ steps.git-cliff.outputs.changelog }}
172+
run: cat "$GIT_CLIFF_CHANGELOG"
171173

172174
- name: Build distribution into dist/
173175
shell: bash
@@ -202,23 +204,27 @@ jobs:
202204
(!contains(github.event.pull_request.labels.*.name, 'skip:test:all'))
203205
env:
204206
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
207+
GH_REF_NAME: ${{ github.ref_name }}
208+
GIT_CLIFF_CHANGELOG: ${{ steps.git-cliff.outputs.changelog }}
205209
shell: bash
206210
run: |
207211
rm -rf ./test-results/coverage_html
208-
gh release create ${{ github.ref_name }} ./dist/* ./dist_native_zipped/* ./test-results/* ./audit-results/* \
209-
--notes-file ${{ steps.git-cliff.outputs.changelog }}
212+
gh release create "$GH_REF_NAME" ./dist/* ./dist_native_zipped/* ./test-results/* ./audit-results/* \
213+
--notes-file "$GIT_CLIFF_CHANGELOG"
210214
211215
- name: Create GitHub release (no test results)
212216
if: |
213217
(contains(inputs.commit_message, 'skip:test:all')) ||
214218
(contains(github.event.pull_request.labels.*.name, 'skip:test:all'))
215219
env:
216220
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
221+
GH_REF_NAME: ${{ github.ref_name }}
222+
GIT_CLIFF_CHANGELOG: ${{ steps.git-cliff.outputs.changelog }}
217223
shell: bash
218224
run: |
219225
rm -rf ./test-results/coverage_html
220-
gh release create ${{ github.ref_name }} ./dist/* ./dist_native_zipped/* ./audit-results/* \
221-
--notes-file ${{ steps.git-cliff.outputs.changelog }}
226+
gh release create "$GH_REF_NAME" ./dist/* ./dist_native_zipped/* ./audit-results/* \
227+
--notes-file "$GIT_CLIFF_CHANGELOG"
222228
223229
- name: Inform Sentry about release
224230
uses: getsentry/action-release@dab6548b3c03c4717878099e43782cf5be654289 # v3.5.0
@@ -233,10 +239,12 @@ jobs:
233239
- name: Convert release notes from Markdown to Slack mrkdwn
234240
id: slack-notes
235241
shell: bash
242+
env:
243+
GIT_CLIFF_CONTENT: ${{ steps.git-cliff.outputs.content }}
236244
run: |
237245
# Convert Markdown links [text](url) to Slack mrkdwn <url|text>
238246
# Convert bold **text** to *text*
239-
SLACK_RELEASE_NOTES=$(echo '${{ toJSON(steps.git-cliff.outputs.content) }}' | \
247+
SLACK_RELEASE_NOTES=$(printf '%s\n' "$GIT_CLIFF_CONTENT" | \
240248
sed -E 's/\[([^]]+)\]\(([^)]+)\)/<\2|\1>/g' | \
241249
sed -E 's/\*\*([^*]+)\*\*/*\1*/g')
242250
echo "content<<SLACKEOF" >> "$GITHUB_OUTPUT"

0 commit comments

Comments
 (0)