@@ -11,18 +11,24 @@ jobs:
1111 label : ${{ steps.get-label.outputs.label }}
1212 runs-on : ubuntu-22.04
1313 steps :
14- - name : Get Label
14+ - name : Get Label (allow-listed dependencies only)
1515 id : get-label
1616 env :
1717 REPO : ${{ github.event.client_payload.dependency }}
1818 run : |
19- if [ "$REPO" == "vitess" ]
20- then
21- echo "label=vitess-bump" >> $GITHUB_OUTPUT
22- else
23- echo "$REPO is unsupported"
24- exit 1
25- fi
19+ set -euo pipefail
20+ IFS=$'\n\t'
21+
22+ # allow-list: only 'vitess' at present
23+ case "${REPO:-}" in
24+ vitess)
25+ echo "label=vitess-bump" >> "$GITHUB_OUTPUT"
26+ ;;
27+ *)
28+ echo "Dependency '${REPO:-}' is unsupported"
29+ exit 1
30+ ;;
31+ esac
2632
2733 stale-bump-prs :
2834 name : Retrieving Stale Bump PRs
@@ -94,47 +100,125 @@ jobs:
94100 - uses : actions/checkout@v4
95101 with :
96102 token : ${{ secrets.REPO_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}
103+
97104 - name : Set up Go 1.x
98105 uses : actions/setup-go@v5
99106 with :
100107 go-version-file : go.mod
101- - name : Bump dependency
102- run : GOOS=linux go get github.com/dolthub/${{ github.event.client_payload.dependency }}@${{ github.event.client_payload.head_commit_sha }}
103- - name : Get Assignee and Reviewer
104- id : get_reviewer
108+
109+ - name : Validate & Sanitize Payload
110+ id : sanitize
111+ env :
112+ RAW_DEP : ${{ github.event.client_payload.dependency }}
113+ RAW_SHA : ${{ github.event.client_payload.head_commit_sha }}
114+ RAW_USER : ${{ github.event.client_payload.assignee }}
115+ RAW_MAIL : ${{ github.event.client_payload.assignee_email }}
105116 run : |
106- if [ "${{ github.event.client_payload.assignee }}" == "zachmu" ]
107- then
108- echo "reviewer=Hydrocharged" >> $GITHUB_OUTPUT
117+ set -euo pipefail
118+ IFS=$'\n\t'
119+
120+ # --- Validate dependency via allow-list and map to module path
121+ case "${RAW_DEP:-}" in
122+ vitess)
123+ MODULE='github.com/dolthub/vitess'
124+ ;;
125+ *)
126+ echo "Unsupported dependency '${RAW_DEP:-}'"
127+ exit 1
128+ ;;
129+ esac
130+
131+ # --- Validate head SHA/tag (conservative)
132+ # allow only hex SHAs or safe tag-ish: letters, digits, dot, dash, underscore, plus
133+ if [ -z "${RAW_SHA:-}" ] || ! printf '%s' "$RAW_SHA" | grep -qE '^[A-Za-z0-9._+-]+$'; then
134+ echo "Invalid head_commit_sha"
135+ exit 1
136+ fi
137+
138+ # Keep a short 8-char form if it's a hex SHA; otherwise keep original (already validated)
139+ if printf '%s' "$RAW_SHA" | grep -qiE '^[0-9a-f]{40}$'; then
140+ SHORT_SHA="${RAW_SHA:0:8}"
141+ else
142+ # derive a short-ish safe token
143+ SHORT_SHA="$(printf '%s' "$RAW_SHA" | tr -cd 'A-Za-z0-9._+-' | cut -c1-12)"
144+ fi
145+
146+ # --- Validate assignee username (GitHub-compatible subset)
147+ if [ -z "${RAW_USER:-}" ] || ! printf '%s' "$RAW_USER" | grep -qE '^[A-Za-z0-9-]{1,39}$'; then
148+ echo "Invalid assignee username"
149+ exit 1
150+ fi
151+
152+ # --- Validate email; if invalid, fall back to GitHub noreply
153+ if [ -n "${RAW_MAIL:-}" ] && printf '%s' "$RAW_MAIL" | grep -qE '^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$'; then
154+ SAFE_EMAIL="$RAW_MAIL"
109155 else
110- echo "reviewer=zachmu" >> $GITHUB_OUTPUT
156+ SAFE_EMAIL="${RAW_USER}[email protected] " 111157 fi
112- - name : Get short hash
113- id : short-sha
158+
159+ # --- Build a safe branch name: <assignee>-<short>
160+ BRANCH_NAME="$(printf '%s-%s' "$RAW_USER" "$SHORT_SHA" | tr -cd 'A-Za-z0-9._-')"
161+
162+ # Export for later steps
163+ {
164+ echo "SAFE_MODULE=$MODULE"
165+ echo "SAFE_HEAD=$RAW_SHA"
166+ echo "SAFE_ASSIGNEE=$RAW_USER"
167+ echo "SAFE_EMAIL=$SAFE_EMAIL"
168+ echo "SAFE_BRANCH=$BRANCH_NAME"
169+ echo "SAFE_SHORT=$SHORT_SHA"
170+ } >> "$GITHUB_ENV"
171+
172+ - name : Bump dependency (safe)
114173 run : |
115- commit=${{ github.event.client_payload.head_commit_sha }}
116- short=${commit:0:8}
117- echo "short=$short" >> $GITHUB_OUTPUT
118- - name : Create and Push new branch
174+ set -euo pipefail
175+ IFS=$'\n\t'
176+ echo "Installing ${SAFE_MODULE}@${SAFE_HEAD}"
177+ GOOS=linux go get "${SAFE_MODULE}@${SAFE_HEAD}"
178+
179+ - name : Get Assignee and Reviewer (safe)
180+ id : get_reviewer
181+ env :
182+ ASSIGNEE : ${{ env.SAFE_ASSIGNEE }}
119183 run : |
120- git config --global --add user.name "${{ github.event.client_payload.assignee }}"
121- git config --global --add user.email "${{ github.event.client_payload.assignee_email }}"
122- branchname=${{ format('{0}-{1}', github.event.client_payload.assignee, steps.short-sha.outputs.short) }}
123- git checkout -b "$branchname"
184+ set -euo pipefail
185+ if [ "${ASSIGNEE}" = "zachmu" ]; then
186+ echo "reviewer=Hydrocharged" >> "$GITHUB_OUTPUT"
187+ else
188+ echo "reviewer=zachmu" >> "$GITHUB_OUTPUT"
189+ fi
190+
191+ - name : Create and Push new branch (safe)
192+ env :
193+ GIT_USER : ${{ env.SAFE_ASSIGNEE }}
194+ GIT_MAIL : ${{ env.SAFE_EMAIL }}
195+ BRANCH : ${{ env.SAFE_BRANCH }}
196+ COMMIT_BY : ${{ env.SAFE_ASSIGNEE }}
197+ run : |
198+ set -euo pipefail
199+ IFS=$'\n\t'
200+
201+ git config --global user.name "${GIT_USER}"
202+ git config --global user.email "${GIT_MAIL}"
203+
204+ git checkout -b "${BRANCH}"
124205 git add .
125- git commit -m "${{ format('[ga-bump-dep] Bump dependency in GMS by {0}', github.event.client_payload.assignee) }}"
126- git push origin "$branchname"
206+
207+ # Commit message uses sanitized assignee only
208+ git commit -m "[ga-bump-dep] Bump dependency in GMS by ${COMMIT_BY}"
209+ git push origin "${BRANCH}"
210+
127211 - name : pull-request
128212 uses : repo-sync/pull-request@v2
129213 id : latest-pr
130214 with :
131- source_branch : ${{ format('{0}-{1}', github.event.client_payload.assignee, steps.short-sha.outputs.short ) }}
215+ source_branch : ${{ env.SAFE_BRANCH }}
132216 destination_branch : " main"
133217 github_token : ${{ secrets.REPO_ACCESS_TOKEN }}
134- pr_title : " [auto-bump] [no-release-notes] dependency by ${{ github.event.client_payload.assignee }}"
218+ pr_title : " [auto-bump] [no-release-notes] dependency by ${{ env.SAFE_ASSIGNEE }}"
135219 pr_template : " .github/markdown-templates/dep-bump.md"
136220 pr_reviewer : ${{ steps.get_reviewer.outputs.reviewer }}
137- pr_assignee : ${{ github.event.client_payload.assignee }}
221+ pr_assignee : ${{ env.SAFE_ASSIGNEE }}
138222 pr_label : ${{ needs.get-label.outputs.label }}
139223
140224 comment-on-stale-prs :
0 commit comments