From 67674739b0bd8c72cc655546797120cff6b3c0d9 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Fri, 20 Mar 2026 20:18:33 +0100 Subject: [PATCH 1/3] chore: use dropdown for release-type in create release PR workflow --- .github/workflows/create-release-pr.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index 8988f38..2bec3e4 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -9,7 +9,14 @@ on: required: true release-type: description: 'A SemVer version diff, i.e. major, minor, or patch. Mutually exclusive with "release-version".' + type: choice required: false + default: '' + options: + - '' + - major + - minor + - patch release-version: description: 'A specific version to bump to. Mutually exclusive with "release-type".' required: false From 64199e08de7c31141593807fb44d0b5fbda3fc2b Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Fri, 20 Mar 2026 20:38:55 +0100 Subject: [PATCH 2/3] chore: add validation step and use 'none' default for release-type dropdown --- .github/workflows/create-release-pr.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index 2bec3e4..444af02 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -11,9 +11,9 @@ on: description: 'A SemVer version diff, i.e. major, minor, or patch. Mutually exclusive with "release-version".' type: choice required: false - default: '' + default: none options: - - '' + - none - major - minor - patch @@ -28,6 +28,16 @@ jobs: contents: write pull-requests: write steps: + - name: Validate inputs + run: | + if [ "${{ inputs.release-type }}" != "none" ] && [ -n "${{ inputs.release-version }}" ]; then + echo "::error::release-type and release-version are mutually exclusive" + exit 1 + fi + if [ "${{ inputs.release-type }}" = "none" ] && [ -z "${{ inputs.release-version }}" ]; then + echo "::error::Must specify either release-type or release-version" + exit 1 + fi - uses: actions/checkout@v3 with: # This is to guarantee that the most recent tag is fetched. @@ -44,5 +54,5 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: - release-type: ${{ github.event.inputs.release-type }} + release-type: ${{ inputs.release-type != 'none' && inputs.release-type || '' }} release-version: ${{ github.event.inputs.release-version }} From 1bd32b8b78b0e153fd774ae9195ec32279210ea3 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Fri, 20 Mar 2026 20:43:51 +0100 Subject: [PATCH 3/3] fix: use env vars instead of direct interpolation to prevent shell injection --- .github/workflows/create-release-pr.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index 444af02..511d163 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -29,12 +29,15 @@ jobs: pull-requests: write steps: - name: Validate inputs + env: + RELEASE_TYPE: ${{ inputs.release-type }} + RELEASE_VERSION: ${{ inputs.release-version }} run: | - if [ "${{ inputs.release-type }}" != "none" ] && [ -n "${{ inputs.release-version }}" ]; then + if [ "$RELEASE_TYPE" != "none" ] && [ -n "$RELEASE_VERSION" ]; then echo "::error::release-type and release-version are mutually exclusive" exit 1 fi - if [ "${{ inputs.release-type }}" = "none" ] && [ -z "${{ inputs.release-version }}" ]; then + if [ "$RELEASE_TYPE" = "none" ] && [ -z "$RELEASE_VERSION" ]; then echo "::error::Must specify either release-type or release-version" exit 1 fi