Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

prevent from shell injection #3

Closed
wants to merge 7 commits into from
Closed

prevent from shell injection #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
cdcaa94
do not use ${{ var }} in shell steps
anatawa12 May 27, 2024
2f08f49
chore(create-target): do not use ${{ var }} in shell steps
anatawa12 May 27, 2024
66d5d26
chore(merge): do not use ${{ var }} in shell steps
anatawa12 May 27, 2024
f874825
chore: use github builtin environment variable
anatawa12 May 27, 2024
36ba106
chore(release-edit-with-push): do not use ${{ var }} in shell steps
anatawa12 May 27, 2024
4c6dcdd
chore(release-edit-with-ready): do not use ${{ var }} in shell steps
anatawa12 May 27, 2024
2cc50e0
chore(actions): do not use ${{ var }} in shell steps
anatawa12 May 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions .github/actions/checkout-pr/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,18 +20,22 @@ runs:
#- uses: actions/checkout@v4
- name: git config
run: |
git config --local user.email "${{ inputs.user }}@users.noreply.github.com"
git config --local user.name "${{ inputs.user }}"
git config --local user.email "$USER@users.noreply.github.com"
git config --local user.name "$USER"
shell: bash
env:
USER: ${{ inputs.user }}
# pr_numberからPR情報を取得
- name: Get PR
run: |
pr_json=$(gh pr view ${{ inputs.pr_number }} --json isDraft,headRefName)
pr_json=$(gh pr view "$PR_NUMBER" --json isDraft,headRefName)
echo "pr_is_draft=$(echo $pr_json | jq -r '.isDraft')" >> $GITHUB_OUTPUT
echo "pr_head_ref=$(echo $pr_json | jq -r '.headRefName')" >> $GITHUB_OUTPUT
echo $pr_json
id: get_pr
shell: bash
env:
PR_NUMBER: ${{ inputs.pr_number }}
- uses: actions/checkout@v4
with:
ref: ${{ steps.get_pr.outputs.pr_head_ref }}
4 changes: 3 additions & 1 deletion .github/actions/get-changelog/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,10 @@ runs:
run: |
{
echo 'changelog<<EOF'
sed -n '/## ${{ inputs.version }}/,/^## /p' CHANGELOG.md | sed -e 1d -e '$d'
sed -n "/## $VERSION/,/^## /p" CHANGELOG.md | sed -e 1d -e '$d'
echo EOF
} >> $GITHUB_OUTPUT
id: changelog
shell: bash
env:
VERSION: ${{ inputs.version }}
4 changes: 3 additions & 1 deletion .github/actions/rewrite-package-json/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,12 @@ runs:
# バージョンをpackage.jsonに書き込み
- name: Write version
run: |
# keep using ${{ inputs.package_jsons }} for array declaration
declare -a package_jsons=(${{ inputs.package_jsons }})
for package_json in ${package_jsons[@]}; do
jq $INDENT_OPTION '.version = "${{ inputs.version }}"' "${package_json}" > "${package_json}.tmp" && mv "${package_json}.tmp" "${package_json}"
jq $INDENT_OPTION ".version = \"$VERSION\"" "${package_json}" > "${package_json}.tmp" && mv "${package_json}.tmp" "${package_json}"
done
shell: bash
env:
INDENT_OPTION: ${{ inputs.indent != 'tab' && format('--indent {0}', inputs.indent) || '--tab' }}
VERSION: ${{ inputs.version }}
15 changes: 10 additions & 5 deletions .github/workflows/create-prerelease.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,10 +91,13 @@ jobs:
# release/ブランチにpush、タグを作成
- name: Commit version
run: |
git commit -am "Bump version to ${{ steps.release_version.outputs.result }}"
git push origin HEAD:release/${{ steps.v.outputs.target_version }}
git tag "${{ steps.release_version.outputs.result }}"
git push origin "${{ steps.release_version.outputs.result }}"
git commit -am "Bump version to $VERSION_NAME"
git push origin "HEAD:release/$TARGET_VERSION"
git tag "$VERSION_NAME"
git push origin "$VERSION_NAME"
env:
VERSION_NAME: ${{ steps.release_version.outputs.result }}
TARGET_VERSION: ${{ steps.v.outputs.target_version }}
# CHANGELOG.mdの内容を取得
- name: Get changelog
uses: misskey-dev/release-manager-actions/.github/actions/get-changelog@v1
Expand All @@ -111,8 +114,10 @@ jobs:
- name: Create release
env:
GITHUB_TOKEN: ${{ inputs.use_external_app_to_release && steps.release-app-token.outputs.token || secrets.GITHUB_TOKEN }}
VERSION_NAME: ${{ steps.release_version.outputs.result }}
CHANGELOG: ${{ steps.changelog.outputs.changelog }}
run: |
gh release create "${{ steps.release_version.outputs.result }}" --prerelease --title "${{ steps.release_version.outputs.result }}" --notes "${{ steps.changelog.outputs.changelog }}"
gh release create "$VERSION_NAME" --prerelease --title "$VERSION_NAME" --notes "$CHANGELOG"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

とりあえずこれである程度動くのでこのままでいいと思うけど、コマンドの引数はデータの受け渡しには向いておらず、長さの上限もあまり長くないので将来的にはファイル等を介したい

# PRのnotesを更新
# (通常release-edit-with-pushで更新されているためここで更新されることはない)
#- name: Update PR
Expand Down
34 changes: 24 additions & 10 deletions .github/workflows/create-target.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,10 @@ jobs:
- uses: actions/checkout@v4
- name: git config
run: |
git config --local user.email "${{ inputs.user }}@users.noreply.github.com"
git config --local user.name "${{ inputs.user }}"
git config --local user.email "[email protected]"
git config --local user.name "$USER"
env:
USER: ${{ inputs.user }}
# jqでpackage.jsonから現在のバージョンを取得
- name: Get current version
run: |
Expand All @@ -69,8 +71,10 @@ jobs:
result-encoding: string
id: target_version
- name: beta 0
run: echo "result=${{ steps.target_version.outputs.result }}-beta.0" >> $GITHUB_OUTPUT
run: echo "result=$TARGET_VERSION-beta.0" >> $GITHUB_OUTPUT
id: release_version
env:
TARGET_VERSION: ${{ steps.target_version.outputs.result }}
# バージョンをpackage.jsonに書き込み
- name: Write version
uses: misskey-dev/release-manager-actions/.github/actions/rewrite-package-json@v1
Expand All @@ -87,14 +91,19 @@ jobs:
# CHANGELOG.mdのバージョンの書き換え
- name: Modify CHANGELOG.md
run: |
sed -i 's/## Unreleased/## ${{ steps.target_version.outputs.result }}/' CHANGELOG.md
sed -i "s/## Unreleased/## $TARGET_VERSION/" CHANGELOG.md
env:
TARGET_VERSION: ${{ steps.target_version.outputs.result }}
# release/ブランチとタグを作成
- name: Commit version
run: |
git commit -am "Bump version to ${{ steps.release_version.outputs.result }}"
git push origin HEAD:release/${{ steps.target_version.outputs.result }}
git tag "${{ steps.release_version.outputs.result }}"
git push origin "${{ steps.release_version.outputs.result }}"
git commit -am "Bump version to $VERSION_NAME"
git push origin "HEAD:release/$TARGET_VERSION"
git tag "$VERSION_NAME"
git push origin "$VERSION_NAME"
env:
VERSION_NAME: ${{ steps.release_version.outputs.result }}
TARGET_VERSION: ${{ steps.target_version.outputs.result }}
# リリースを作成
- uses: actions/create-github-app-token@v1
id: release-app-token
Expand All @@ -105,12 +114,17 @@ jobs:
- name: Create release
env:
GITHUB_TOKEN: ${{ inputs.use_external_app_to_release && steps.release-app-token.outputs.token || secrets.GITHUB_TOKEN }}
VERSION_NAME: ${{ steps.release_version.outputs.result }}
CHANGELOG: ${{ steps.changelog.outputs.changelog }}
run: |
gh release create "${{ steps.release_version.outputs.result }}" --prerelease --title "${{ steps.release_version.outputs.result }}" --notes "${{ steps.changelog.outputs.changelog }}"
gh release create "$VERSION_NAME" --prerelease --title "$VERSION_NAME" --notes "$CHANGELOG"
# PRを作成
- name: Create PR
run: |
gh pr create --draft --title "Release: ${{ steps.target_version.outputs.result }}" --body "${{ steps.changelog.outputs.changelog }}" --head release/${{ steps.target_version.outputs.result }} --base ${{ github.ref_name }}
gh pr create --draft --title "Release: TARGET_VERSION" --body "$CHANGELOG" --head "release/$TARGET_VERSION" --base "$GITHUB_REF_NAME"
env:
TARGET_VERSION: ${{ steps.target_version.outputs.result }}
CHANGELOG: ${{ steps.changelog.outputs.changelog }}

# rulesetを切り替え
- uses: actions/create-github-app-token@v1
Expand Down
32 changes: 23 additions & 9 deletions .github/workflows/merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,14 +95,18 @@ jobs:
# mergeable: UNKNOWNを回避したい
- name: 'Pre-fetch PR data'
run: |
gh pr view ${{ inputs.pr_number }} --json mergeable
gh pr view "$PR_NUMBER" --json mergeable
env:
PR_NUMBER: ${{ inputs.pr_number }}
- name: Sleep
run: sleep 5s

- name: 'Fetch PR data'
id: pr-data
run: |
echo "data=$(gh pr view ${{ inputs.pr_number }} --json baseRefName,reviewDecision,isDraft,mergeStateStatus,statusCheckRollup,mergeable)" >> $GITHUB_OUTPUT
echo "data=$(gh pr view "$PR_NUMBER" --json baseRefName,reviewDecision,isDraft,mergeStateStatus,statusCheckRollup,mergeable)" >> $GITHUB_OUTPUT
env:
PR_NUMBER: ${{ inputs.pr_number }}
- name: 'Check Mergeable: compare'
uses: actions/script@v7
env:
Expand Down Expand Up @@ -162,9 +166,11 @@ jobs:
- name: Commit version
run: |
if [ -n "$(git status --porcelain)" ]; then
git commit -am "[skip ci] Release: ${{ steps.v.outputs.target_version }}"
git push origin HEAD:release/${{ steps.v.outputs.target_version }}
git commit -am "[skip ci] Release: $TARGET_VERSION"
git push origin "HEAD:release/$TARGET_VERSION"
fi
env:
TARGET_VERSION: ${{ steps.v.outputs.target_version }}

# CHANGELOG.mdの内容を取得
- name: Get changelog
Expand All @@ -175,8 +181,10 @@ jobs:

- name: Create tag
run: |
git tag "${{ steps.v.outputs.target_version }}"
git push origin "${{ steps.v.outputs.target_version }}"
git tag "$TARGET_VERSION"
git push origin "$TARGET_VERSION"
env:
TARGET_VERSION: ${{ steps.v.outputs.target_version }}

# リリースを作成
- uses: actions/create-github-app-token@v1
Expand All @@ -188,19 +196,23 @@ jobs:
- name: Create release
env:
GITHUB_TOKEN: ${{ inputs.use_external_app_to_release && steps.release-app-token.outputs.token || secrets.GITHUB_TOKEN }}
TARGET_VERSION: ${{ steps.v.outputs.target_version }}
CHANGELOG: ${{ steps.changelog.outputs.changelog }}
run: |
gh release create "${{ steps.v.outputs.target_version }}" --title "${{ steps.v.outputs.target_version }}" --notes "${{ steps.changelog.outputs.changelog }}"
gh release create "$TARGET_VERSION" --title "$TARGET_VERSION" --notes "$CHANGELOG"

# Merge
# (Retry because mergeable can unknown after push)
- name: Merge PR
uses: prichey/retry@c92c7ba2f5f4d0b3b7b2b04cc5c6672f9c884a3f
with:
command: |
gh pr merge ${{ inputs.pr_number }} --merge
gh pr merge "$PR_NUMBER" --merge
timeout_seconds: 30
max_attempts: 3
retry_wait_seconds: 5
env:
PR_NUMBER: ${{ inputs.pr_number }}

# Declear base branch
- name: Declear base branch
Expand All @@ -221,4 +233,6 @@ jobs:
- name: Update CHANGELOG.md (prepend template)
run: |
git commit -am "[skip ci] Update CHANGELOG.md (prepend template)"
git push origin HEAD:${{ steps.declear-base-branch.outputs.base_branch }}
git push origin "HEAD:$BASE_BRANCH"
env:
BASE_BRANCH: ${{ steps.declear-base-branch.outputs.base_branch }}
7 changes: 5 additions & 2 deletions .github/workflows/release-edit-with-push.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
# headがrelease/かつopenのPRを1つ取得
- name: Get PR
run: |
echo "pr_number=$(gh pr list --limit 1 --head "${{ github.ref_name }}" --json number --jq '.[] | .number')" >> $GITHUB_OUTPUT
echo "pr_number=$(gh pr list --limit 1 --head "$GITHUB_REF_NAME" --json number --jq '.[] | .number')" >> $GITHUB_OUTPUT
id: get_pr
- name: Get target version
uses: misskey-dev/release-manager-actions/.github/actions/get-target-version@v1
Expand All @@ -37,4 +37,7 @@ jobs:
# PRのnotesを更新
- name: Update PR
run: |
gh pr edit ${{ steps.get_pr.outputs.pr_number }} --body "${{ steps.changelog.outputs.changelog }}"
gh pr edit "$PR_NUMBER" --body "$CHANGELOG"
env:
PR_NUMBER: ${{ steps.get_pr.outputs.pr_number }}
CHANGELOG: ${{ steps.changelog.outputs.changelog }}
4 changes: 3 additions & 1 deletion .github/workflows/release-with-ready.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,11 @@ jobs:
# PR情報を取得
- name: Get PR
run: |
pr_json=$(gh pr view ${{ github.event.pull_request.number }} --json isDraft,headRefName)
pr_json=$(gh pr view "$PR_NUMBER" --json isDraft,headRefName)
echo "ref=$(echo $pr_json | jq -r '.headRefName')" >> $GITHUB_OUTPUT
id: get_pr
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
release:
uses: misskey-dev/release-manager-actions/.github/workflows/create-prerelease.yml@v1
needs: check
Expand Down