Skip to content

fix: Node release custom package path #79

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mamari90 merged 5 commits into from
Dec 11, 2025
Merged

fix: Node release custom package path #79

mamari90 merged 5 commits into from
Dec 11, 2025

Conversation

@mamari90
Copy link
Contributor

@mamari90 mamari90 commented Dec 11, 2025
edited
Loading

List of Changes

Motivation and Context

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.

@mamari90 mamari90 requested a review from a team as a code owner December 11, 2025 11:44
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 11, 2025
View reviewed changes
mamari90 and others added 2 commits December 11, 2025 14:32
@mamari90 @github-advanced-security
Potential fix for code scanning alert no. 135: Code injection
01dcbbc 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@mamari90
Potential fix for code scanning alert no. 135: Code injection
663ab60
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 11, 2025
View reviewed changes
node-release/action.yml
contents="$(jq '.version = "${{ steps.semver.outputs.new_version }}"' package.json)"
echo -E "${contents}" > package.json
contents="$(jq '.version = "${{ steps.semver.outputs.new_version }}"' ${PACKAGE_PATH}package.json)"
echo -E "${contents}" > ${PACKAGE_PATH}package.json

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${ steps.semver.outputs.new_version }
Loading
, which may be controlled by an external user.

Copilot Autofix

AI 28 days ago

The best way to fix this problem is to avoid directly interpolating untrusted values (such as ${{ steps.semver.outputs.new_version }}) into shell scripts or commands, especially when using double quotes or here-documents. Instead, assign expressions like ${{ steps.semver.outputs.new_version }} to an environment variable using the env: block, and then reference that variable within your shell script using the shell's native syntax (e.g., $NEW_VERSION). This prevents shell interpretation of potentially malicious input and adheres to GitHub's safe usage guidelines.
Specifically, in file node-release/action.yml, edit the block for "Push New Version".

  • In the step starting at line 107, update the env: block to include NEW_VERSION: ${{ steps.semver.outputs.new_version }}.
  • Then, update line 113 to reference $NEW_VERSION within single quotes in the jq command: jq '.version = "'$NEW_VERSION'"' ....
Suggested changeset 1
node-release/action.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/node-release/action.yml b/node-release/action.yml
--- a/node-release/action.yml
+++ b/node-release/action.yml
@@ -109,17 +109,18 @@
       shell: bash
       env:
         PACKAGE_PATH: ${{ inputs.package_path }}
+        NEW_VERSION: ${{ steps.semver.outputs.new_version }}
       run: |
-        contents="$(jq '.version = "${{ steps.semver.outputs.new_version }}"' ${PACKAGE_PATH}package.json)"
+        contents="$(jq '.version = "'$NEW_VERSION'"' ${PACKAGE_PATH}package.json)"
         echo -E "${contents}" > ${PACKAGE_PATH}package.json
   
         git add .
         git config --global user.email "[email protected]"
         git config --global user.name "pagopa-github-bot"
         if [ "${{ inputs.skip_ci }}" = "true" ]; then
-            git commit -m "Bump to version ${{ steps.semver.outputs.new_version }} [skip ci]" || exit 0
+            git commit -m "Bump to version $NEW_VERSION [skip ci]" || exit 0
           else
-            git commit -m "Bump to version ${{ steps.semver.outputs.new_version }}" || exit 0
+            git commit -m "Bump to version $NEW_VERSION" || exit 0
         fi
         git push origin ${{ github.ref_name}}
 
EOF
@@ -109,17 +109,18 @@
shell: bash
env:
PACKAGE_PATH: ${{ inputs.package_path }}
NEW_VERSION: ${{ steps.semver.outputs.new_version }}
run: |
contents="$(jq '.version = "${{ steps.semver.outputs.new_version }}"' ${PACKAGE_PATH}package.json)"
contents="$(jq '.version = "'$NEW_VERSION'"' ${PACKAGE_PATH}package.json)"
echo -E "${contents}" > ${PACKAGE_PATH}package.json

git add .
git config --global user.email "[email protected]"
git config --global user.name "pagopa-github-bot"
if [ "${{ inputs.skip_ci }}" = "true" ]; then
git commit -m "Bump to version ${{ steps.semver.outputs.new_version }} [skip ci]" || exit 0
git commit -m "Bump to version $NEW_VERSION [skip ci]" || exit 0
else
git commit -m "Bump to version ${{ steps.semver.outputs.new_version }}" || exit 0
git commit -m "Bump to version $NEW_VERSION" || exit 0
fi
git push origin ${{ github.ref_name}}

Copilot is powered by AI and may make mistakes. Always verify output.
@mamari90 mamari90 merged commit 27e1f41 into main Dec 11, 2025
5 checks passed
@mamari90 mamari90 deleted the node-release-custom-package branch December 11, 2025 14:15
@github-actions
Copy link

github-actions bot commented Dec 11, 2025

🎉 This PR is included in version 2.3.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mamari90 mamari90

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mamari90