From 545919136274ac95bfb74419360ef2e06e7f4536 Mon Sep 17 00:00:00 2001 From: Florian Date: Wed, 6 May 2026 11:02:02 +0200 Subject: [PATCH 1/2] fix(release:PLA-1355): harden version tag input --- .github/workflows/release.yml | 61 ++++++++++++++++++++++++----------- 1 file changed, 42 insertions(+), 19 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 071450edf..a9d4c002c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,8 +25,23 @@ jobs: runs-on: "${{ github.repository_owner == 'erpc' && 'blacksmith-8vcpu-ubuntu-2404' || 'ubuntu-24.04' }}" if: github.event_name == 'workflow_dispatch' outputs: - version: ${{ github.event.inputs.version_tag }} + version: ${{ steps.validate-version.outputs.version }} steps: + - name: Validate version_tag + id: validate-version + shell: bash + env: + VERSION_TAG: ${{ github.event.inputs.version_tag }} + run: | + set -euo pipefail + + if [[ ! "$VERSION_TAG" =~ ^v?[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?(\+[0-9A-Za-z.-]+)?$ ]]; then + printf 'Invalid version_tag: %s\n' "$VERSION_TAG" >&2 + exit 1 + fi + + printf 'version=%s\n' "$VERSION_TAG" >> "$GITHUB_OUTPUT" + - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 with: @@ -57,7 +72,7 @@ jobs: version: "~> v2" args: release --snapshot --clean env: - GORELEASER_CURRENT_TAG: ${{ github.event.inputs.version_tag }} + GORELEASER_CURRENT_TAG: ${{ steps.validate-version.outputs.version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Setup pnpm + node and install dependencies @@ -83,20 +98,26 @@ jobs: # Update version in package.json files - name: Update package versions + env: + VERSION_TAG: ${{ steps.validate-version.outputs.version }} run: | for pkg in . typescript/cli typescript/config; do - cd $pkg - npm version ${{ github.event.inputs.version_tag }} --no-git-tag-version + cd "$pkg" + npm version "$VERSION_TAG" --no-git-tag-version cd - done # Generate the release files using the snapshot checksums - name: Generate CLI release files working-directory: typescript/cli + env: + CHECKSUMS_FILE: ../../dist/checksums.txt + COMMIT_SHA: ${{ github.sha }} + VERSION_TAG: ${{ steps.validate-version.outputs.version }} run: | - export VERSION="${{ github.event.inputs.version_tag }}" - export COMMIT_SHA=${{ github.sha }} - export CHECKSUMS_FILE=../../dist/checksums.txt + export VERSION="$VERSION_TAG" + export COMMIT_SHA + export CHECKSUMS_FILE pnpm run build npx ts-node ./src/script/generate-release-files.ts @@ -108,17 +129,17 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 with: - commit-message: "chore: release ${{ github.event.inputs.version_tag }}" - title: "chore: release ${{ github.event.inputs.version_tag }}" + commit-message: "chore: release ${{ steps.validate-version.outputs.version }}" + title: "chore: release ${{ steps.validate-version.outputs.version }}" body: | - 🚀 Release preparation for version ${{ github.event.inputs.version_tag }} + 🚀 Release preparation for version ${{ steps.validate-version.outputs.version }} This PR includes: - Version bumps in package.json files - Generated TypeScript types - Generated release files - Generated checksums - branch: "release/${{ github.event.inputs.version_tag }}" + branch: "release/${{ steps.validate-version.outputs.version }}" base: morpho-main labels: release @@ -153,7 +174,7 @@ jobs: COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | VERSION=$(echo "$COMMIT_MESSAGE" | grep -oP 'release \K([0-9]+\.[0-9]+\.[0-9]+)') - echo "VERSION=$VERSION" >> $GITHUB_OUTPUT + echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT" - name: Set up Go uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 @@ -305,7 +326,7 @@ jobs: COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | VERSION=$(echo "$COMMIT_MESSAGE" | grep -oP 'release \K([0-9]+\.[0-9]+\.[0-9]+)') - echo "VERSION=$VERSION" >> $GITHUB_OUTPUT + echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT" - name: Build+push by digest (branch) id: build_main @@ -431,7 +452,7 @@ jobs: COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | VERSION=$(echo "$COMMIT_MESSAGE" | grep -oP 'release \K([0-9]+\.[0-9]+\.[0-9]+)') - echo "VERSION=$VERSION" >> $GITHUB_OUTPUT + echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT" - name: Build+push by digest (branch) id: build_main @@ -538,7 +559,7 @@ jobs: COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | VERSION=$(echo "$COMMIT_MESSAGE" | grep -oP 'release \K([0-9]+\.[0-9]+\.[0-9]+)') - echo "VERSION=$VERSION" >> $GITHUB_OUTPUT + echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT" - name: Create multi-arch manifest for branch id: main @@ -593,10 +614,12 @@ jobs: DIGEST_RELEASE_VALIDATOR=$(docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/${{ steps.meta.outputs.repo }}-validator:${{ steps.version.outputs.VERSION }}) docker pull ghcr.io/${{ steps.meta.outputs.repo }}-validator:latest DIGEST_LATEST_VALIDATOR=$(docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/${{ steps.meta.outputs.repo }}-validator:latest) - echo "digest_release=${DIGEST_RELEASE#*@}" >> "$GITHUB_OUTPUT" - echo "digest_latest=${DIGEST_LATEST#*@}" >> "$GITHUB_OUTPUT" - echo "digest_release_validator=${DIGEST_RELEASE_VALIDATOR#*@}" >> "$GITHUB_OUTPUT" - echo "digest_latest_validator=${DIGEST_LATEST_VALIDATOR#*@}" >> "$GITHUB_OUTPUT" + { + echo "digest_release=${DIGEST_RELEASE#*@}" + echo "digest_latest=${DIGEST_LATEST#*@}" + echo "digest_release_validator=${DIGEST_RELEASE_VALIDATOR#*@}" + echo "digest_latest_validator=${DIGEST_LATEST_VALIDATOR#*@}" + } >> "$GITHUB_OUTPUT" - name: Attest build provenance (Docker Manifest Main) uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 From 25f6306a605dedc8a75dd1dbe730bd4c2f65344c Mon Sep 17 00:00:00 2001 From: Florian Date: Wed, 6 May 2026 11:10:14 +0200 Subject: [PATCH 2/2] fix(release:PLA-1355): match accepted tag format --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a9d4c002c..ee7417b74 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -35,7 +35,7 @@ jobs: run: | set -euo pipefail - if [[ ! "$VERSION_TAG" =~ ^v?[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?(\+[0-9A-Za-z.-]+)?$ ]]; then + if [[ ! "$VERSION_TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then printf 'Invalid version_tag: %s\n' "$VERSION_TAG" >&2 exit 1 fi