Conversation
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow to automate creation of a “release PR” by syncing docs/ and README.md from backup-utils-private into this repo and opening (then auto-merging) a PR for the release branch.
Changes:
- Add
repository_dispatch-triggered workflowCreate Release PR. - Checkout
backup-utils-private, copydocs/+README.md, commit torelease/<version>and push. - Create (or find) a PR and enable auto-merge via
gh.
Comments suppressed due to low confidence (1)
.github/workflows/create-release-pr.yml:71
- Same injection risk here: interpolating
github.event.client_payload.versiondirectly into therun:script can allow a craftedrepository_dispatchpayload to execute arbitrary shell commands. Prefer passing it viaenv:(or parsing$GITHUB_EVENT_PATH) and validating it before constructing branch names / PR metadata.
version="${{ github.event.client_payload.version }}"
branch="release/$version"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| run: | | ||
| version="${{ github.event.client_payload.version }}" | ||
| branch="release/$version" | ||
| pr_number="$(gh pr list --head "$branch" --base master --json number --jq '.[0].number')" |
There was a problem hiding this comment.
gh pr list ... --jq '.[0].number' returns null (string) when no PRs are found, not an empty string. With the current -z check, pr_number becomes null and the workflow will skip PR creation and later try to merge a PR numbered null. Update the jq filter / conditional to treat null as empty.
| pr_number="$(gh pr list --head "$branch" --base master --json number --jq '.[0].number')" | |
| pr_number="$(gh pr list --head "$branch" --base master --json number --jq '.[0].number // empty')" |
| git add docs README.md | ||
| git commit --allow-empty -m "$version release" | ||
| git push --force-with-lease --set-upstream origin "$branch" |
There was a problem hiding this comment.
git push --force-with-lease can fail on reruns when the remote release/$version branch already exists but hasn’t been fetched into a local origin/release/... tracking ref (common with actions/checkout default fetch-depth: 1). If you intend this workflow to be idempotent, fetch the remote branch first (if it exists) or adjust the push strategy so reruns can update the branch reliably.
| uses: actions/checkout@v5 | ||
| with: | ||
| token: ${{ steps.app-token.outputs.token }} | ||
| repository: github/backup-utils-private |
There was a problem hiding this comment.
The workflow uses ${{ github.repository_owner }} when minting the GitHub App token, but hardcodes repository: github/backup-utils-private for the checkout. Using the same owner variable for the checkout target avoids drift if the repo is ever moved or this workflow is reused elsewhere.
| repository: github/backup-utils-private | |
| repository: ${{ github.repository_owner }}/backup-utils-private |
| version="${{ github.event.client_payload.version }}" | ||
| branch="release/$version" |
There was a problem hiding this comment.
github.event.client_payload.version is interpolated directly into the shell script. If the dispatch payload contains characters like quotes/newlines, this can break out of the assignment and lead to shell injection (and potential secret exfiltration). Pass the value via env: (or read it from $GITHUB_EVENT_PATH with jq) and validate/sanitize it (e.g., enforce a semver/allowed-charset pattern) before using it in git/gh commands.
This issue also appears on line 70 of the same file.
This adds a workflow for creating a PR to facilitate the release process.