fix: address code review findings

derekmisler · derekmisler · commit 5fff4b6ea4ad · 2026-03-26T09:46:40.000-04:00
- Add --paginate flag to consumer repo search to handle &gt;100 repos
- Add validation for SHA-pinned refs without version comments
- Replace unsafe heredoc PR body with printf to prevent command injection
- Add trap-based cleanup for temp directories to prevent resource leaks
- Move ROOT_COMMENT_ID validation to shared step for both auth paths

Fixes identified in strict code review:
- HIGH: Consumer repo pagination truncation
- MEDIUM: Command injection via FILE_PATH in PR body
- MEDIUM: Weak validation pattern for SHA pinning
- MEDIUM: Temp directory leaks on errors
- MEDIUM: Missing ROOT_COMMENT_ID validation in authorized path
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -144,6 +144,15 @@ jobs:
             exit 1
           fi
 
+          # Check for any SHA-pinned refs that lack version comments (won't be auto-updated)
+          UNVERSIONED=$(grep -n 'uses: *docker/cagent-action[^@]*@[a-f0-9]\{40\}' "${PINNED_FILES[@]}" 2>/dev/null | \
+            grep -v '# v' || true)
+          if [ -n "$UNVERSIONED" ]; then
+            echo "::error::Found SHA-pinned refs without version comments (won't be auto-updated):"
+            echo "$UNVERSIONED"
+            exit 1
+          fi
+
           # Verify no refs with the old SHA remain in pinned files
           REMAINING=$(grep -n "$OLD_PIN_PATTERN" "${PINNED_FILES[@]}" 2>/dev/null | grep -v "${HEAD_SHA}" || true)
           if [ -n "$REMAINING" ]; then
@@ -219,7 +228,7 @@ jobs:
           # Uses GitHub code search API — results may have eventual consistency lag
           # for very recently created repos, but this is fine for release automation.
           echo "Searching for consumer repos..."
-          REPOS=$(gh api '/search/code?per_page=100' \
+          REPOS=$(gh api --paginate '/search/code?per_page=100' \
             -f q='org:docker "docker/cagent-action/.github/workflows/review-pr.yml@" language:YAML path:/^\.github\/workflows\//' \
             --jq '[.items[] | {repo: .repository.full_name, path: .path}] | unique_by(.repo) | .[] | "\(.repo) \(.path)"')
 
@@ -245,6 +254,9 @@ jobs:
             echo "=========================================="
 
             # Clone the repo into a temp directory
+            # Set up cleanup trap for this iteration
+            trap 'cd /; rm -rf "$WORK_DIR"' EXIT
+
             WORK_DIR=$(mktemp -d)
             if ! gh repo clone "$REPO" "$WORK_DIR" -- --depth=1 2>/dev/null; then
               echo "::warning::Failed to clone $REPO — skipping (token may lack access)"
@@ -302,11 +314,14 @@ jobs:
             # Create or update PR
             EXISTING_PR=$(gh pr list --repo "$REPO" --head "$BRANCH" --state open --json number --jq '.[0].number')
 
-            PR_BODY="## Summary
-          Updates \`cagent-action\` reference in \`${FILE_PATH}\` to [$VERSION]($RELEASE_URL).
-          - **Commit**: \`${SHA}\`
-          - **Version**: \`${VERSION}\`
-          > Auto-generated by the [release](${RUN_URL}) workflow."
+            # Build PR body safely using printf to avoid shell expansion of FILE_PATH
+            # FILE_PATH comes from GitHub API and could theoretically contain shell metacharacters
+            printf -v PR_BODY '%s\n%s\n%s\n%s\n%s' \
+              "## Summary" \
+              "Updates \`cagent-action\` reference in \`${FILE_PATH}\` to [${VERSION}](${RELEASE_URL})." \
+              "- **Commit**: \`${SHA}\`" \
+              "- **Version**: \`${VERSION}\`" \
+              "> Auto-generated by the [release](${RUN_URL}) workflow."
 
             if [ -n "$EXISTING_PR" ]; then
               echo "Updating existing PR #$EXISTING_PR in $REPO"
@@ -322,6 +337,9 @@ jobs:
                 --reviewer "derekmisler" || echo "::warning::Failed to create PR in $REPO"
             fi
 
+            # Clear trap and cleanup
+            trap - EXIT
+
             cd /
             rm -rf "$WORK_DIR"
             echo ""
diff --git a/.github/workflows/review-pr.yml b/.github/workflows/review-pr.yml
@@ -457,6 +457,21 @@ jobs:
             echo "⏭️ Not a reply to agent comment, skipping"
           fi
 
+      - name: Validate root comment ID
+        if: steps.check.outputs.is_agent == 'true'
+        shell: bash
+        env:
+          ROOT_COMMENT_ID: ${{ steps.check.outputs.root_comment_id }}
+        run: |
+          if [ -z "$ROOT_COMMENT_ID" ]; then
+            echo "::error::ROOT_COMMENT_ID is not set"
+            exit 1
+          fi
+          if ! [[ "$ROOT_COMMENT_ID" =~ ^[0-9]+$ ]]; then
+            echo "::error::ROOT_COMMENT_ID is not a valid integer: '$ROOT_COMMENT_ID'"
+            exit 1
+          fi
+
       - name: Check authorization
         if: steps.check.outputs.is_agent == 'true'
         id: auth
@@ -509,16 +524,6 @@ jobs:
           ROOT_COMMENT_ID: ${{ steps.check.outputs.root_comment_id }}
           AUTHOR: ${{ github.event.comment.user.login }}
         run: |
-          # Validate ROOT_COMMENT_ID is a valid integer before using it
-          if [ -z "$ROOT_COMMENT_ID" ]; then
-            echo "::error::ROOT_COMMENT_ID is not set"
-            exit 1
-          fi
-          
-          if ! [[ "$ROOT_COMMENT_ID" =~ ^[0-9]+$ ]]; then
-            echo "::error::ROOT_COMMENT_ID is not a valid integer: '$ROOT_COMMENT_ID'"
-            exit 1
-          fi
           
           jq -n \
             --arg body "Sorry @$AUTHOR, conversational replies are currently available to repository collaborators only. Your feedback has still been captured and will be used to improve future reviews.
