Conversation
…Mask/metamask-mobile into release/test-runway-rc-ios-workflow
|
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| script: | | ||
| const ref = '${{ inputs.ref || github.ref_name }}'.replace(/^refs\/heads\//, ''); |
There was a problem hiding this comment.
Script injection via unsanitized inputs.ref in shell and JS
High Severity
The workflow_dispatch inputs.ref value is directly interpolated via ${{ inputs.ref || github.ref_name }} into both a shell command (line 55) and a JavaScript string literal (line 118) without sanitization. A user with repo write access could supply a crafted ref value (e.g., containing '; malicious_code; ' for JS or "; malicious_command; echo " for shell) to achieve arbitrary code execution in the workflow runner context, which has access to secrets.GITHUB_TOKEN and can dispatch other workflows. The safe pattern is to pass these values via environment variables rather than inline ${{ }} expressions.
Additional Locations (1)
github-actions
bot
added
risk-low
github-actions
bot
added
risk-low
github-actions
bot
added
risk-low
🔍 Smart E2E Test Selection
click to see 🤖 AI reasoning detailsE2E Test Selection: Performance Test Selection: |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
There are 3 total unresolved issues (including 1 from previous review).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
| run: | | ||
| if [[ -z "${{ needs.decide.outputs.pr_number }}" ]]; then | ||
| echo "::error::No PR found for this branch. OTA update requires a PR number." | ||
| echo "::error::If you ran the workflow manually (workflow_dispatch), select your release branch in the 'Use workflow from' dropdown (e.g. release/test-runway-rc-ios-workflow), not main." |
There was a problem hiding this comment.
Test branch name hardcoded in production error message
Low Severity
The error message on this line uses release/test-runway-rc-ios-workflow as the example branch name. This is the current test branch for this PR, not a realistic release branch name. If this workflow ships to production, the guidance would confuse users — a real example like release/7.71.0 would be appropriate.
| # Version from package.json (e.g. 7.70.0) → base ref for OTA workflow is always v{VERSION} | ||
| VERSION=$(node -p "require('./package.json').version") | ||
| RELEASE_TAG="v${VERSION}" | ||
| echo "base_ref=${RELEASE_TAG}" >> "$GITHUB_OUTPUT" |
There was a problem hiding this comment.
OTA trigger uses non-existent tag as base ref
Medium Severity
base_ref is unconditionally set to RELEASE_TAG (e.g. v7.69.0) on line 78, but when that tag doesn't exist, the OTA bump detection falls back to comparing against origin/main (lines 91–95). If a bump is detected via that fallback path, trigger-ota dispatches push-eas-update.yml with base_branch pointing to the non-existent tag. The downstream workflow will then fail at checkout because that ref doesn't resolve, producing a confusing error instead of a clear guard.
Additional Locations (1)
|
2 participants
Description
Changelog
CHANGELOG entry:
Related issues
Fixes:
Manual testing steps
Screenshots/Recordings
Before
After
Pre-merge author checklist
Pre-merge reviewer checklist
Note
Medium Risk
Medium risk because it adds a new release-branch GitHub Actions workflow that conditionally triggers OTA dispatches or RC builds, and it changes app version/build numbers across Android, iOS, Bitrise, and
package.json, which can impact release pipelines if misconfigured.Overview
Adds a new GitHub Actions workflow,
runway_ios_rc_workflow.yml, forrelease/*branches that decides between triggering an iOS RC OTA update (by dispatchingpush-eas-update.yml) or running the reusablebuild.ymlworkflow when noOTA_VERSIONbump is detected.Updates release metadata across the repo: bumps
app/constants/ota.tsOTA_VERSION, and changes the app semantic version/build numbers inpackage.json, Androidbuild.gradle, iOS Xcode project settings, and Bitrise env vars to match the intended RC build/versioning.Written by Cursor Bugbot for commit 93bd6ad. This will update automatically on new commits. Configure here.