@@ -59,22 +59,46 @@ jobs:
5959 uses : actions/checkout@v4
6060 with :
6161 fetch-depth : 0
62- - name : Get full SHA
62+ - name : Validate and resolve commit SHA
6363 id : get-sha
64+ env :
65+ INPUT_COMMIT_SHA : ${{ github.event.inputs.commit-sha }}
6466 run : |
65- FULL_SHA=$(git rev-parse ${{ github.event.inputs.commit-sha }})
66- if [ -z "$FULL_SHA" ]; then
67- echo "Error: Could not resolve commit SHA: ${{ github.event.inputs.commit-sha }}"
67+ # Validate input matches SHA pattern (7-40 hex characters)
68+ if ! echo "$INPUT_COMMIT_SHA" | grep -qE '^[0-9a-fA-F]{7,40}$'; then
69+ echo "Error: Invalid commit SHA format. Must be 7-40 hexadecimal characters."
70+ echo "Provided: $INPUT_COMMIT_SHA"
6871 exit 1
6972 fi
73+
74+ # Resolve to full SHA
75+ FULL_SHA=$(git rev-parse "$INPUT_COMMIT_SHA" 2>&1)
76+ EXIT_CODE=$?
77+
78+ if [ $EXIT_CODE -ne 0 ] || [ -z "$FULL_SHA" ]; then
79+ echo "Error: Could not resolve commit SHA: $INPUT_COMMIT_SHA"
80+ echo "$FULL_SHA"
81+ exit 1
82+ fi
83+
84+ # Validate resolved SHA is actually a commit
85+ if ! git cat-file -e "$FULL_SHA^{commit}" 2>/dev/null; then
86+ echo "Error: $FULL_SHA is not a valid commit"
87+ exit 1
88+ fi
89+
7090 echo "FULL_SHA=$FULL_SHA" >> "$GITHUB_OUTPUT"
7191 echo "Resolved commit SHA: $FULL_SHA"
7292name : Checkout specific commit
73- run : git checkout ${{ steps.get-sha.outputs.FULL_SHA }}
93+ env :
94+ COMMIT_SHA : ${{ steps.get-sha.outputs.FULL_SHA }}
95+ run : git checkout "$COMMIT_SHA"
7496 - name : Show commit details
97+ env :
98+ COMMIT_SHA : ${{ steps.get-sha.outputs.FULL_SHA }}
7599 run : |
76100 echo "Commit details:"
77- git log -1 --pretty=format:"Author: %an <%ae>%nDate: %ad%nSubject: %s%nBody: %b" ${{ steps.get-sha.outputs.FULL_SHA }}
101+ git log -1 --pretty=format:"Author: %an <%ae>%nDate: %ad%nSubject: %s%nBody: %b" "$COMMIT_SHA"
78102 - name: Get package info
79103 id: package-info
80104 run: |
@@ -84,8 +108,10 @@ jobs:
84108 echo "PACKAGE_VERSION=$PACKAGE_VERSION" >> "$GITHUB_OUTPUT"
85109 echo "Package: $PACKAGE_NAME@$PACKAGE_VERSION"
86110 - name: Check for existing release
111+ env:
112+ PACKAGE_VERSION: ${{ steps.package-info.outputs.PACKAGE_VERSION }}
87113 run: |
88- TAG="v${{ steps.package-info.outputs. PACKAGE_VERSION } }"
114+ TAG="v${PACKAGE_VERSION}"
89115 if git rev-parse "$TAG" >/dev/null 2>&1; then
90116 echo "⚠️ Warning: Tag $TAG already exists"
91117 git log -1 --pretty=format:"Existing tag points to: %H%n" "$TAG"
@@ -100,12 +126,16 @@ jobs:
100126 runs-on: ubuntu-latest
101127 steps:
102128 - name: Display dry run summary
129+ env:
130+ PACKAGE_NAME: ${{ needs.validate-commit.outputs.PACKAGE_NAME }}
131+ PACKAGE_VERSION: ${{ needs.validate-commit.outputs.PACKAGE_VERSION }}
132+ FULL_SHA: ${{ needs.validate-commit.outputs.FULL_SHA }}
103133 run: |
104134 echo "## 🔍 Dry Run Summary"
105135 echo ""
106136 echo "**Mode:** Dry run (no changes will be made)"
107- echo "**Package:** ${{ needs.validate-commit.outputs. PACKAGE_NAME }} @${{ needs.validate-commit.outputs. PACKAGE_VERSION } }"
108- echo "**Commit:** ${{ needs.validate-commit.outputs. FULL_SHA } }"
137+ echo "**Package:** ${PACKAGE_NAME} @${PACKAGE_VERSION}"
138+ echo "**Commit:** ${FULL_SHA}"
109139 echo ""
110140 echo "✓ All validation checks passed"
111141 echo "ℹ️ To publish this release, run the workflow again with 'Dry run' unchecked"
0 commit comments