Add regex validation to release workflow (#467)

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: jaxdesmarais

.github/workflows/release.yml

@@ -18,31 +18,59 @@ jobs:
       - name: Use Xcode 15.1
         run: sudo xcode-select -switch /Applications/Xcode_15.1.app
 
+      - name: Validate version input
+        env:
+          INPUT_VERSION: ${{ github.event.inputs.version }}
+        run: |
+          set -euo pipefail
+
+          # Validate version format: x.x.x or x.x.x-betax (e.g., 3.0.0, 3.0.0-beta1)
+          # Uses bash regex to avoid a grep subprocess and (0|[1-9][0-9]*) to prevent leading zeros.
+          PATTERN='^(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-beta[0-9]+)?$'
+          if ! [[ "${INPUT_VERSION}" =~ $PATTERN ]]; then
+            echo "::error::Invalid version format: ${INPUT_VERSION}"
+            echo "::error::Version must be x.x.x or x.x.x-betax (e.g., 3.0.0 or 3.0.0-beta1)"
+            exit 1
+          fi
+
+          # Check length to prevent excessively long inputs
+          if [ ${#INPUT_VERSION} -gt 50 ]; then
+            echo "::error::Version string exceeds maximum length of 50 characters"
+            exit 1
+          fi
+
+          # Store validated version for use in subsequent steps
+          echo "RELEASE_VERSION=${INPUT_VERSION}" >> "$GITHUB_ENV"
+          echo "Version validated: ${INPUT_VERSION}"
+
       - name: Check for unreleased section in changelog
         run: grep "## unreleased" CHANGELOG.md || (echo "::error::No unreleased section found in CHANGELOG"; exit 1)
 
       - name: Set git username and email
         run: |
+          set -euo pipefail
           git config user.name braintreeps
           git config user.email code@getbraintree.com
 
       - name: Update version, add tag and push
         run: |
+          set -euo pipefail
           today=$(date +'%Y-%m-%d')
-          sed -i '' 's/## unreleased.*/## '"${{ github.event.inputs.version }}"' ('"$today"')/' CHANGELOG.md
-          sed -i '' 's/\(s\.version *= *\).*/\1"'"${{ github.event.inputs.version }}"'\"/' BraintreeDropIn.podspec
-          plutil -replace CFBundleVersion -string ${{ github.event.inputs.version }} -- 'Demo/Application/Supporting Files/Braintree-Demo-Info.plist'
-          plutil -replace CFBundleShortVersionString -string ${{ github.event.inputs.version }} -- 'Demo/Application/Supporting Files/Braintree-Demo-Info.plist'
-          plutil -replace CFBundleVersion -string ${{ github.event.inputs.version }} -- 'Sources/BraintreeDropIn/Info.plist'
-          plutil -replace CFBundleShortVersionString -string ${{ github.event.inputs.version }} -- 'Sources/BraintreeDropIn/Info.plist'
+          sed -i '' 's/## unreleased.*/## '"${RELEASE_VERSION}"' ('"$today"')/' CHANGELOG.md
+          sed -i '' 's/\(s\.version *= *\).*/\1"'"${RELEASE_VERSION}"'\"/' BraintreeDropIn.podspec
+          plutil -replace CFBundleVersion -string "${RELEASE_VERSION}" -- 'Demo/Application/Supporting Files/Braintree-Demo-Info.plist'
+          plutil -replace CFBundleShortVersionString -string "${RELEASE_VERSION}" -- 'Demo/Application/Supporting Files/Braintree-Demo-Info.plist'
+          plutil -replace CFBundleVersion -string "${RELEASE_VERSION}" -- 'Sources/BraintreeDropIn/Info.plist'
+          plutil -replace CFBundleShortVersionString -string "${RELEASE_VERSION}" -- 'Sources/BraintreeDropIn/Info.plist'
 
           git add .
-          git commit -m 'Bump version to ${{ github.event.inputs.version }}'
-          git tag ${{ github.event.inputs.version }} -a -m 'Release ${{ github.event.inputs.version }}'
-          git push origin HEAD ${{ github.event.inputs.version }}
+          git commit -m "Bump version to ${RELEASE_VERSION}"
+          git tag "${RELEASE_VERSION}" -a -m "Release ${RELEASE_VERSION}"
+          git push origin HEAD "${RELEASE_VERSION}"
 
       - name: Save changelog entries to a file
         run: |
+          set -euo pipefail
           sed -e '1,/##/d' -e '/##/,$d' CHANGELOG.md > changelog_entries.md
 
       - name: Create GitHub Release
@@ -51,19 +79,22 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: ${{ github.event.inputs.version }}
-          release_name: ${{ github.event.inputs.version }}
+          tag_name: ${{ env.RELEASE_VERSION }}
+          release_name: ${{ env.RELEASE_VERSION }}
           body_path: changelog_entries.md
           draft: false
           prerelease: false
 
       - name: Publish to CocoaPods
         env:
           COCOAPODS_TRUNK_TOKEN: ${{ secrets.COCOAPODS_TRUNK_TOKEN }}
-        run: pod trunk push BraintreeDropIn.podspec
+        run: |
+          set -euo pipefail
+          pod trunk push BraintreeDropIn.podspec
 
       - name: Publish reference docs
         run: |
+          set -euo pipefail
           gem install jazzy
           brew install sourcekitten
           sourcekitten doc --objc Docs/BraintreeDropIn-Umbrella-Header.h -- \
@@ -75,12 +106,12 @@ jobs:
             --author Braintree \
             --author_url http://braintreepayments.com \
             --github_url https://github.com/braintree/braintree-ios-drop-in \
-            --github-file-prefix https://github.com/braintree/braintree-ios-drop-in/tree/${{ github.event.inputs.version }} \
+            --github-file-prefix "https://github.com/braintree/braintree-ios-drop-in/tree/${RELEASE_VERSION}" \
             --theme fullwidth \
-            --output ${{ github.event.inputs.version }}
-          cp -R Images ${{ github.event.inputs.version }}/Images
+            --output "${RELEASE_VERSION}"
+          cp -R Images "${RELEASE_VERSION}/Images"
           git checkout gh-pages
-          ln -sfn ${{ github.event.inputs.version }} current
-          git add current ${{ github.event.inputs.version }}
-          git commit -m "Publish ${{ github.event.inputs.version }} docs to github pages"
+          ln -sfn "${RELEASE_VERSION}" current
+          git add current "${RELEASE_VERSION}"
+          git commit -m "Publish ${RELEASE_VERSION} docs to github pages"
           git push