atridad/Discodrome
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

Fix script injection and use jq for manifest updates

Browse Source 
Use environment variables instead of direct ${{ inputs.version }}
interpolation in shell scripts to prevent script injection.
Switch from sed to jq for updating manifest.json, consistent
with how release.yml already reads the version.
This commit is contained in:
deluan
2026-02-07 20:15:29 -05:00
parent ede7856bdb
commit 63ab3ec57e
1 changed files with 16 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/create-release.yml
+16 -8
View File
@@ -17,9 +17,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Validate version format
env:
VERSION: ${{ inputs.version }}
run: |
if [[ ! "${{ inputs.version }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+.*$ ]]; then
echo "::error::Invalid version format '${{ inputs.version }}'. Use X.X.X (e.g., 1.2.3)"
if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+.*$ ]]; then
echo "::error::Invalid version format '$VERSION'. Use X.X.X (e.g., 1.2.3)"
exit 1
fi
@@ -27,9 +29,11 @@ jobs:
uses: actions/checkout@v5
- name: Check tag does not already exist
env:
VERSION: ${{ inputs.version }}
run: |
if git ls-remote --tags origin "refs/tags/v${{ inputs.version }}" | grep -q .; then
echo "::error::Tag v${{ inputs.version }} already exists"
if git ls-remote --tags origin "refs/tags/v${VERSION}" | grep -q .; then
echo "::error::Tag v${VERSION} already exists"
exit 1
fi
@@ -42,14 +46,18 @@ jobs:
run: go test -race ./...
- name: Update manifest.json version
env:
VERSION: ${{ inputs.version }}
run: |
sed -i 's/"version": *"[^"]*"/"version": "${{ inputs.version }}"/' manifest.json
jq --arg v "$VERSION" '.version = $v' manifest.json > manifest.tmp && mv manifest.tmp manifest.json
- name: Commit, tag, and push
env:
VERSION: ${{ inputs.version }}
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add manifest.json
git commit --allow-empty -m "Release v${{ inputs.version }}"
git tag "v${{ inputs.version }}"
git push origin main "v${{ inputs.version }}"
git commit --allow-empty -m "Release v${VERSION}"
git tag "v${VERSION}"
git push origin main "v${VERSION}"