From a1975af097c56b3734a38c85b5d5d0117c66f977 Mon Sep 17 00:00:00 2001 From: Anthony Ettinger Date: Sat, 30 May 2026 12:47:03 +0000 Subject: [PATCH] fix(ci): finish shell-injection removal in submit-packages + re-enable semgrep --error Completes #10: the Chocolatey job's Determine version / Submit / Summary steps and both Linux/Chocolatey Summary steps still interpolated github.event.inputs.* directly in run: blocks. Move them all into step-level env: vars referenced as quoted shell variables, and restore --error on semgrep so findings block CI. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/security.yml | 4 +--- .github/workflows/submit-packages.yml | 22 +++++++++++++++------- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 91e08f8..e0f0ad6 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -17,10 +17,8 @@ jobs: image: semgrep/semgrep steps: - uses: actions/checkout@v4 - # Report ERROR-severity findings in the log without failing the build. - # (Drop `--error` to keep semgrep from exiting non-zero on findings.) - run: | - semgrep scan --severity ERROR \ + semgrep scan --error --severity ERROR \ --config p/javascript \ --config p/typescript \ --config p/owasp-top-ten \ diff --git a/.github/workflows/submit-packages.yml b/.github/workflows/submit-packages.yml index 8700547..d54310f 100644 --- a/.github/workflows/submit-packages.yml +++ b/.github/workflows/submit-packages.yml @@ -137,12 +137,14 @@ jobs: - name: Summary if: always() + env: + DRY_RUN: ${{ github.event.inputs.dry_run || 'false' }} run: | echo "## Package Submission Summary (Linux)" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "- **Version**: ${{ steps.version.outputs.version }}" >> $GITHUB_STEP_SUMMARY echo "- **Package Managers**: ${{ steps.pms.outputs.package_managers }}" >> $GITHUB_STEP_SUMMARY - echo "- **Dry Run**: ${{ github.event.inputs.dry_run || 'false' }}" >> $GITHUB_STEP_SUMMARY + echo "- **Dry Run**: $DRY_RUN" >> $GITHUB_STEP_SUMMARY # Windows job for Chocolatey submit-chocolatey: @@ -172,11 +174,14 @@ jobs: - name: Determine version id: version shell: bash + env: + INPUT_VERSION: ${{ github.event.inputs.version }} + RELEASE_TAG: ${{ github.event.release.tag_name }} run: | - if [ -n "${{ github.event.inputs.version }}" ]; then - VERSION="${{ github.event.inputs.version }}" - elif [ -n "${{ github.event.release.tag_name }}" ]; then - VERSION="${{ github.event.release.tag_name }}" + if [ -n "$INPUT_VERSION" ]; then + VERSION="$INPUT_VERSION" + elif [ -n "$RELEASE_TAG" ]; then + VERSION="$RELEASE_TAG" else VERSION=$(git describe --tags --abbrev=0 2>/dev/null || echo "") fi @@ -201,9 +206,10 @@ jobs: - name: Submit to Chocolatey if: steps.check-key.outputs.has_key == 'true' shell: bash + env: + DRY_RUN: ${{ github.event.inputs.dry_run }} run: | VERSION="${{ steps.version.outputs.version }}" - DRY_RUN="${{ github.event.inputs.dry_run }}" ARGS="-v $VERSION -p chocolatey" @@ -220,8 +226,10 @@ jobs: - name: Summary if: always() shell: bash + env: + DRY_RUN: ${{ github.event.inputs.dry_run || 'false' }} run: | echo "## Package Submission Summary (Chocolatey)" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "- **Version**: ${{ steps.version.outputs.version }}" >> $GITHUB_STEP_SUMMARY - echo "- **Dry Run**: ${{ github.event.inputs.dry_run || 'false' }}" >> $GITHUB_STEP_SUMMARY + echo "- **Dry Run**: $DRY_RUN" >> $GITHUB_STEP_SUMMARY