Fix script injection and use jq for manifest updates

Use environment variables instead of direct ${{ inputs.version }} interpolation in shell scripts to prevent script injection. Switch from sed to jq for updating manifest.json, consistent with how release.yml already reads the version.
2026-02-07 20:15:29 -05:00
parent ede7856bdb
commit 63ab3ec57e
1 changed files with 16 additions and 8 deletions
@@ -17,9 +17,11 @@ jobs:
        runs-on: ubuntu-latest
        steps:
            - name: Validate version format
+              env:
+                  VERSION: ${{ inputs.version }}
              run: |
-                  if [[ ! "${{ inputs.version }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+.*$ ]]; then
-                    echo "::error::Invalid version format '${{ inputs.version }}'. Use X.X.X (e.g., 1.2.3)"
+                  if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+.*$ ]]; then
+                    echo "::error::Invalid version format '$VERSION'. Use X.X.X (e.g., 1.2.3)"
                    exit 1
                  fi

@@ -27,9 +29,11 @@ jobs:
              uses: actions/checkout@v5

            - name: Check tag does not already exist
+              env:
+                  VERSION: ${{ inputs.version }}
              run: |
-                  if git ls-remote --tags origin "refs/tags/v${{ inputs.version }}" | grep -q .; then
-                    echo "::error::Tag v${{ inputs.version }} already exists"
+                  if git ls-remote --tags origin "refs/tags/v${VERSION}" | grep -q .; then
+                    echo "::error::Tag v${VERSION} already exists"
                    exit 1
                  fi

@@ -42,14 +46,18 @@ jobs:
              run: go test -race ./...

            - name: Update manifest.json version
+              env:
+                  VERSION: ${{ inputs.version }}
              run: |
-                  sed -i 's/"version": *"[^"]*"/"version": "${{ inputs.version }}"/' manifest.json
+                  jq --arg v "$VERSION" '.version = $v' manifest.json > manifest.tmp && mv manifest.tmp manifest.json

            - name: Commit, tag, and push
+              env:
+                  VERSION: ${{ inputs.version }}
              run: |
                  git config user.name "github-actions[bot]"
                  git config user.email "github-actions[bot]@users.noreply.github.com"
                  git add manifest.json
-                  git commit --allow-empty -m "Release v${{ inputs.version }}"
-                  git tag "v${{ inputs.version }}"
-                  git push origin main "v${{ inputs.version }}"
+                  git commit --allow-empty -m "Release v${VERSION}"
+                  git tag "v${VERSION}"
+                  git push origin main "v${VERSION}"