Skip to content

Commit d3f4845

Browse files
chaliyclaude
andauthored
fix(ci): use env vars in release workflow to prevent script injection (#33)
## Summary - Fix release workflow failure caused by backticks in commit message body (e.g. `` `just test` ``) being interpreted as bash command substitutions - Move `github.event.head_commit.message` and `github.event_name` into `env:` block instead of direct `${{ }}` interpolation into bash script ## Test Plan - [x] Verified failed run 21814065606 — backticks in PR #32 commit body caused `just: command not found` - [x] Fix passes env vars safely, preventing script injection ## Checklist - [x] Follows SDK API consistency guidelines - [ ] Updated relevant specs (if applicable) - [ ] Added/updated tests - [x] Updated documentation (if applicable) https://claude.ai/code/session_011XK7rd7vNxUHj3GXnfwr2N Co-authored-by: Claude <noreply@anthropic.com>
1 parent 2de2352 commit d3f4845

1 file changed

Lines changed: 4 additions & 2 deletions

File tree

.github/workflows/release.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,13 +21,15 @@ jobs:
2121

2222
- name: Extract version
2323
id: version
24+
env:
25+
EVENT_NAME: ${{ github.event_name }}
26+
COMMIT_MSG: ${{ github.event.head_commit.message }}
2427
run: |
25-
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
28+
if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
2629
# Manual trigger: read version from rust/Cargo.toml
2730
VERSION=$(grep '^version' rust/Cargo.toml | head -1 | sed 's/.*"\(.*\)".*/\1/')
2831
else
2932
# Push trigger: extract from commit message
30-
COMMIT_MSG="${{ github.event.head_commit.message }}"
3133
VERSION=$(echo "$COMMIT_MSG" | sed -n 's/.*prepare v\([0-9]*\.[0-9]*\.[0-9]*\).*/\1/p')
3234
fi
3335
if [ -z "$VERSION" ]; then

0 commit comments

Comments
 (0)