From bbac3e7ff939c6dd980bdfc6d4c48713ceee0ad0 Mon Sep 17 00:00:00 2001
From: Gabriel Radureau <arcodange@gmail.com>
Date: Tue, 5 May 2026 07:29:10 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20fix(ci):=20replace=20${{=20head?=
 =?UTF-8?q?=5Fcommit.message=20}}=20expression=20with=20git=20log=20to=20a?=
 =?UTF-8?q?void=20shell=20injection?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR #31 added a fallback to git log -1 --pretty=%B for the workflow_dispatch
case (where head_commit.message is empty), but kept ${{ ... }} as the primary
source. That expression is interpolated literally into the rendered shell
script — so a commit body containing a backtick, an unbalanced quote, or even
just a newline at an unfortunate position breaks the line that follows.

Symptom: every PR since #31 has shown:
  /var/run/act/workflow/12.sh: line 34: syntax error: unexpected newline
  ❌  Failure - Main Update badges and version (multiple commits, single push)

Fix: skip the expression entirely. git log -1 --pretty=%B reads the same
information from the actual commit and has no shell-injection surface.
---
 .gitea/workflows/ci-cd.yaml | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/.gitea/workflows/ci-cd.yaml b/.gitea/workflows/ci-cd.yaml
index feaf92e..64a2465 100644
--- a/.gitea/workflows/ci-cd.yaml
+++ b/.gitea/workflows/ci-cd.yaml
@@ -299,13 +299,11 @@ jobs:
           # Check for version bump on main branch
           if [ "${{ github.ref }}" = "refs/heads/main" ]; then
             echo "🔖 Checking for version bump..."
-            # ${{ github.event.head_commit.message }} is empty on workflow_dispatch (manual trigger).
-            # Fall back to the latest commit message from `git log` so the script always has input.
-            COMMIT_MSG="${{ github.event.head_commit.message }}"
-            if [ -z "$COMMIT_MSG" ]; then
-              COMMIT_MSG=$(git log -1 --pretty=%B)
-              echo "  (using git log -1 because head_commit.message is empty - probably workflow_dispatch)"
-            fi
+            # Always read from git log: ${{ github.event.head_commit.message }} expression
+            # is interpolated literally into the shell script, so any backtick, unbalanced
+            # quote, or special char in a commit body breaks the next line of the script
+            # (observed on PR #32-#35: 'syntax error: unexpected newline'). git log is safe.
+            COMMIT_MSG=$(git log -1 --pretty=%B)
             ./scripts/ci-version-bump.sh "$COMMIT_MSG" --no-push
           fi
           
-- 
2.49.1