🐛 bug: validate and safely apply workflow version updates#4273
Conversation
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (1)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Hardens the manual Update Version GitHub Actions workflow to prevent source-code injection when updating const Version in app.go, by validating version inputs and applying a safer replacement strategy.
Changes:
- Add semantic-version style validation for the resolved
versionbefore proceeding. - Escape the
VERSIONvalue and replace the entireconst Version = "..."line via an anchoredsed -Epattern. - Preserve existing behavior for auto-detecting the latest draft release tag and skipping commits when no change is needed.
Comments suppressed due to low confidence (1)
.github/workflows/update-version.yml:80
- The post-update verification uses
grepwithout-F, so the version is treated as a regex (e.g.,.matches any character). This can produce false positives and fail to actually verify the exactconst Version = "..."line. Use fixed-string matching (and ideally anchor to the full line) when checking the updated value.
sed -i -E "s|^const Version = \"[^\"]+\"$|const Version = \"${escaped_version}\"|" app.go
echo "Updated: ${current} → ${VERSION}"
# Verify the change
grep "const Version = \"${VERSION}\"" app.go
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4273 +/- ##
==========================================
+ Coverage 91.21% 91.26% +0.04%
==========================================
Files 130 130
Lines 12760 12760
==========================================
+ Hits 11639 11645 +6
+ Misses 709 704 -5
+ Partials 412 411 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Motivation
.github/workflows/update-version.ymlwhere an unvalidatedversioninput could break out of the Go string literal inapp.goand inject arbitrary top-level Go declarations.Description
^[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?$) in the Determine version step and fail fast for invalid inputs.VERSIONvalue viapython3JSON quoting and replace the entireconst Version = "..."line with a safesed -Epattern to prevent quote-breaking payloads from injecting code intoapp.go.