arcodange/dance-lessons-coach
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

🐛 fix(ci): replace head_commit.message expression with git log (shell injection) #38

Merged
arcodange merged 1 commits from fix/ci-commit-msg-shell-injection into main 2026-05-05 07:29:41 +02:00
Conversation 0 Commits 1 Files Changed 1 +5 -7
1 changed files with 5 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.gitea/workflows/ci-cd.yaml
View File

@@ -299,13 +299,11 @@ jobs:
# Check for version bump on main branch # Check for version bump on main branch
if [ "${{ github.ref }}" = "refs/heads/main" ]; then if [ "${{ github.ref }}" = "refs/heads/main" ]; then
echo "🔖 Checking for version bump..." echo "🔖 Checking for version bump..."
# ${{ github.event.head_commit.message }} is empty on workflow_dispatch (manual trigger). # Always read from git log: ${{ github.event.head_commit.message }} expression
# Fall back to the latest commit message from `git log` so the script always has input. # is interpolated literally into the shell script, so any backtick, unbalanced
COMMIT_MSG="${{ github.event.head_commit.message }}" # quote, or special char in a commit body breaks the next line of the script
if [ -z "$COMMIT_MSG" ]; then # (observed on PR #32-#35: 'syntax error: unexpected newline'). git log is safe.
COMMIT_MSG=$(git log -1 --pretty=%B) COMMIT_MSG=$(git log -1 --pretty=%B)
echo " (using git log -1 because head_commit.message is empty - probably workflow_dispatch)"
fi
./scripts/ci-version-bump.sh "$COMMIT_MSG" --no-push ./scripts/ci-version-bump.sh "$COMMIT_MSG" --no-push
fi fi