From f3f627d40012850c9ca7ede57cdd210b14d2d022 Mon Sep 17 00:00:00 2001 From: Oliver Meyer Date: Thu, 26 Mar 2026 15:47:28 +0100 Subject: [PATCH 1/4] fix(ci): prevent script injection in run-tests action --- .github/actions/run-tests/action.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/actions/run-tests/action.yml b/.github/actions/run-tests/action.yml index e00cc071f..d8dfe3401 100644 --- a/.github/actions/run-tests/action.yml +++ b/.github/actions/run-tests/action.yml @@ -30,9 +30,12 @@ runs: (!contains(inputs.commit-message, 'skip:test:all')) && (!contains(github.event.pull_request.labels.*.name, 'skip:test:all')) shell: bash + env: + MAKE_TARGET: ${{ inputs.make-target }} + SUMMARY_TITLE: ${{ inputs.summary-title }} run: | set +e - make ${{ inputs.make-target }} + make $MAKE_TARGET EXIT_CODE=$? # Show test execution in GitHub Job summary found_files=0 @@ -44,7 +47,7 @@ runs: fi done if [ $found_files -eq 0 ]; then - echo "# ${{ inputs.summary-title }}" >> $GITHUB_STEP_SUMMARY + echo "# $SUMMARY_TITLE" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY fi # Show test coverage in GitHub Job summary From 835e5ab3e9a8749b2c04457a4b5e9a4af1c8ce59 Mon Sep 17 00:00:00 2001 From: Oliver Meyer Date: Thu, 26 Mar 2026 15:49:54 +0100 Subject: [PATCH 2/4] fix(ci): prevent commit-message injection in ci-cd workflow --- .github/workflows/ci-cd.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index 4375ce445..c704963d1 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -43,13 +43,17 @@ jobs: - name: Get commit message id: get-commit-message shell: bash + env: + GITHUB_EVENT_NAME: ${{ github.event_name }} + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} + HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | - if [ "${{ github.event_name }}" == "pull_request" ]; then + if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then # For PR events, get the commit message from the PR head SHA - COMMIT_MESSAGE=$(git log -1 --format=%B ${{ github.event.pull_request.head.sha }}) + COMMIT_MESSAGE=$(git log -1 --format=%B $PR_HEAD_SHA) else # For push events, use the head commit message - COMMIT_MESSAGE='${{ github.event.head_commit.message }}' + COMMIT_MESSAGE="$HEAD_COMMIT_MESSAGE" fi # Export for use in other steps (multiline-safe) # Use printf with %s to avoid interpreting special characters From deb91ace34a46c27e15ce81d2cf7e0c780f74f49 Mon Sep 17 00:00:00 2001 From: Oliver Meyer Date: Thu, 26 Mar 2026 16:03:57 +0100 Subject: [PATCH 3/4] fix(ci): prevent script injection in package-publish workflow --- .github/workflows/_package-publish.yml | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/_package-publish.yml b/.github/workflows/_package-publish.yml index 40e496800..4fed9dc69 100644 --- a/.github/workflows/_package-publish.yml +++ b/.github/workflows/_package-publish.yml @@ -167,7 +167,9 @@ jobs: - name: Print the release notes shell: bash - run: cat "${{ steps.git-cliff.outputs.changelog }}" + env: + GIT_CLIFF_CHANGELOG: ${{ steps.git-cliff.outputs.changelog }} + run: cat "$GIT_CLIFF_CHANGELOG" - name: Build distribution into dist/ shell: bash @@ -202,11 +204,13 @@ jobs: (!contains(github.event.pull_request.labels.*.name, 'skip:test:all')) env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REF_NAME: ${{ github.ref_name }} + GIT_CLIFF_CHANGELOG: ${{ steps.git-cliff.outputs.changelog }} shell: bash run: | rm -rf ./test-results/coverage_html - gh release create ${{ github.ref_name }} ./dist/* ./dist_native_zipped/* ./test-results/* ./audit-results/* \ - --notes-file ${{ steps.git-cliff.outputs.changelog }} + gh release create "$GH_REF_NAME" ./dist/* ./dist_native_zipped/* ./test-results/* ./audit-results/* \ + --notes-file "$GIT_CLIFF_CHANGELOG" - name: Create GitHub release (no test results) if: | @@ -214,11 +218,13 @@ jobs: (contains(github.event.pull_request.labels.*.name, 'skip:test:all')) env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REF_NAME: ${{ github.ref_name }} + GIT_CLIFF_CHANGELOG: ${{ steps.git-cliff.outputs.changelog }} shell: bash run: | rm -rf ./test-results/coverage_html - gh release create ${{ github.ref_name }} ./dist/* ./dist_native_zipped/* ./audit-results/* \ - --notes-file ${{ steps.git-cliff.outputs.changelog }} + gh release create "$GH_REF_NAME" ./dist/* ./dist_native_zipped/* ./audit-results/* \ + --notes-file "$GIT_CLIFF_CHANGELOG" - name: Inform Sentry about release uses: getsentry/action-release@dab6548b3c03c4717878099e43782cf5be654289 # v3.5.0 @@ -233,10 +239,12 @@ jobs: - name: Convert release notes from Markdown to Slack mrkdwn id: slack-notes shell: bash + env: + GIT_CLIFF_CONTENT: ${{ steps.git-cliff.outputs.content }} run: | # Convert Markdown links [text](url) to Slack mrkdwn # Convert bold **text** to *text* - SLACK_RELEASE_NOTES=$(echo '${{ toJSON(steps.git-cliff.outputs.content) }}' | \ + SLACK_RELEASE_NOTES=$(printf '%s\n' "$GIT_CLIFF_CONTENT" | \ sed -E 's/\[([^]]+)\]\(([^)]+)\)/<\2|\1>/g' | \ sed -E 's/\*\*([^*]+)\*\*/*\1*/g') echo "content<> "$GITHUB_OUTPUT" From 441bf61d638125803a908b8f8616b8c6b819848e Mon Sep 17 00:00:00 2001 From: Oliver Meyer Date: Thu, 26 Mar 2026 16:48:02 +0100 Subject: [PATCH 4/4] fix(ci): prevent script injection in build-native-only workflow Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/build-native-only.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-native-only.yml b/.github/workflows/build-native-only.yml index 461907d98..ce87b92b7 100644 --- a/.github/workflows/build-native-only.yml +++ b/.github/workflows/build-native-only.yml @@ -30,13 +30,17 @@ jobs: - name: Get commit message id: get-commit-message shell: bash + env: + GITHUB_EVENT_NAME: ${{ github.event_name }} + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} + HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | - if [ "${{ github.event_name }}" == "pull_request" ]; then + if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then # For PR events, get the commit message from the PR head SHA - COMMIT_MESSAGE=$(git log -1 --format=%B ${{ github.event.pull_request.head.sha }}) + COMMIT_MESSAGE=$(git log -1 --format=%B "$PR_HEAD_SHA") else # For push events, use the head commit message - COMMIT_MESSAGE="${{ github.event.head_commit.message }}" + COMMIT_MESSAGE="$HEAD_COMMIT_MESSAGE" fi # Export for use in other steps (multiline-safe) # Use printf with %s to avoid interpreting special characters @@ -56,9 +60,12 @@ jobs: steps: - name: Check if workflow should run id: check + env: + COMMIT_HAS_MARKER: ${{ contains(needs.get-commit-message.outputs.commit_message, 'build:native:only') }} + PR_HAS_MARKER: ${{ contains(github.event.pull_request.labels.*.name, 'build:native:only') }} run: | - if [[ "${{ contains(needs.get-commit-message.outputs.commit_message, 'build:native:only') }}" == "true" ]] || \ - [[ "${{ contains(github.event.pull_request.labels.*.name, 'build:native:only') }}" == "true" ]]; then + if [[ "$COMMIT_HAS_MARKER" == "true" ]] || \ + [[ "$PR_HAS_MARKER" == "true" ]]; then echo "should_run=true" >> $GITHUB_OUTPUT echo "✅ Workflow triggered: Found 'build:native:only' in commit message or PR labels" else