From c4ff35595fcb07a393321d4f720a6ff541270b68 Mon Sep 17 00:00:00 2001 From: Richard Levasseur Date: Fri, 3 Jul 2026 08:27:14 +0000 Subject: [PATCH] fix(release): secure workflows against shell injection - Modify `release_create_rc.yaml`, `release_prepare.yaml`, `release_process_backports.yaml`, and `release_promote_rc.yaml` to pass workflow inputs as environment variables instead of expanding them directly in inline bash scripts. - This prevents potential shell injection vulnerabilities if inputs contain shell metacharacters. --- .github/workflows/release_create_rc.yaml | 7 ++++--- .github/workflows/release_prepare.yaml | 11 ++++++++--- .../workflows/release_process_backports.yaml | 17 ++++++++++------- .github/workflows/release_promote_rc.yaml | 14 ++++++++------ 4 files changed, 30 insertions(+), 19 deletions(-) diff --git a/.github/workflows/release_create_rc.yaml b/.github/workflows/release_create_rc.yaml index eaf6250b85..2c48dd8476 100644 --- a/.github/workflows/release_create_rc.yaml +++ b/.github/workflows/release_create_rc.yaml @@ -41,11 +41,12 @@ jobs: - name: Attempt RC Tagging id: tagger - run: | - bazel run //tools/private/release -- \ - create-rc --issue ${{ inputs.issue }} --remote origin env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + ISSUE: ${{ inputs.issue }} + run: | + bazel run //tools/private/release -- \ + create-rc --issue "$ISSUE" --remote origin call_release: needs: tag_rc diff --git a/.github/workflows/release_prepare.yaml b/.github/workflows/release_prepare.yaml index 8ca38cb1c2..c83a7b74f9 100644 --- a/.github/workflows/release_prepare.yaml +++ b/.github/workflows/release_prepare.yaml @@ -39,8 +39,13 @@ jobs: git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Run Release Preparation Pipeline - run: | - bazel run //tools/private/release -- \ - prepare ${{ inputs.issue && format('--issue={0}', inputs.issue) || '' }} --no-dry-run env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + ISSUE: ${{ inputs.issue }} + run: | + ARGS=() + if [ -n "$ISSUE" ]; then + ARGS+=("--issue=$ISSUE") + fi + bazel run //tools/private/release -- \ + prepare "${ARGS[@]}" --no-dry-run diff --git a/.github/workflows/release_process_backports.yaml b/.github/workflows/release_process_backports.yaml index 394a5b0fe9..ca719778df 100644 --- a/.github/workflows/release_process_backports.yaml +++ b/.github/workflows/release_process_backports.yaml @@ -55,19 +55,22 @@ jobs: git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Process Pending Backports + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + ADD_BACKPORTS: ${{ inputs.add_backports }} + COMMENT_ID: ${{ inputs.comment_id }} + ISSUE: ${{ inputs.issue }} run: | ARGS=() - if [ -n "${{ inputs.add_backports }}" ]; then - ARGS+=("--add=${{ inputs.add_backports }}") + if [ -n "$ADD_BACKPORTS" ]; then + ARGS+=("--add=$ADD_BACKPORTS") fi - if [ -n "${{ inputs.comment_id }}" ]; then - ARGS+=("--triggering-comment=${{ inputs.comment_id }}") + if [ -n "$COMMENT_ID" ]; then + ARGS+=("--triggering-comment=$COMMENT_ID") fi bazel run //tools/private/release -- process-backports \ - --issue ${{ inputs.issue }} \ + --issue "$ISSUE" \ --remote origin \ --no-dry-run \ "${ARGS[@]}" - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release_promote_rc.yaml b/.github/workflows/release_promote_rc.yaml index 987583a1fd..7dc1c118b2 100644 --- a/.github/workflows/release_promote_rc.yaml +++ b/.github/workflows/release_promote_rc.yaml @@ -42,17 +42,19 @@ jobs: git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Run Promote RC + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VERSION: ${{ inputs.version }} + ISSUE: ${{ inputs.issue }} run: | ARGS=() - if [ -n "${{ inputs.version }}" ]; then - ARGS+=("${{ inputs.version }}") + if [ -n "$VERSION" ]; then + ARGS+=("$VERSION") fi - if [ -n "${{ inputs.issue }}" ]; then - ARGS+=("--issue" "${{ inputs.issue }}") + if [ -n "$ISSUE" ]; then + ARGS+=("--issue" "$ISSUE") fi ARGS+=("--remote" "origin") ARGS+=("--no-dry-run") bazel run //tools/private/release -- promote-rc "${ARGS[@]}" - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}