Skip to content

fix: Node release custom package path #79

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mamari90 merged 5 commits into from
Dec 11, 2025
Merged

fix: Node release custom package path #79

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7d965e5
parametrized package path
mamari90 Dec 11, 2025
7f654f0
parametrized package path
mamari90 Dec 11, 2025
c16d60a
updated readme
mamari90 Dec 11, 2025
01dcbbc
Potential fix for code scanning alert no. 135: Code injection
mamari90 Dec 11, 2025
663ab60
Potential fix for code scanning alert no. 135: Code injection
mamari90 Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions node-release/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ The new version is saved in the output.
skip_ci: true
prerelease: false
only_tag: false


- run: echo "${{ steps.release.outputs.version }}"
```
Expand All @@ -38,6 +39,7 @@ The new version is saved in the output.
| skip_ci | True if you want skip CI workflows on commit release | false | `boolean` | true |
| prerelease | True if it is a prerelease | false | `boolean` | false |
| only_tag | True to create only the Tag without the Release | false | `boolean` | false |
| package_path | Path leading to package.json file | false | `string` | ./ |

## Output

Expand Down
17 changes: 13 additions & 4 deletions node-release/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,11 @@
type: boolean
description: True to create only the Tag without the Release
default: false
package_path:
required: false
type: string
description: Path leading to package.json file
default: "./"


outputs:
Expand Down Expand Up @@ -69,11 +74,13 @@

- id: get_version
name: Get Version
env:
PACKAGE_PATH: ${{ inputs.package_path }}
run: |
PACKAGE_FILE="package.json"
PACKAGE_FILE="${PACKAGE_PATH}package.json"
if [[ -f "$PACKAGE_FILE" ]]; then
echo "version=$(node -p "require('./package.json').version")" >> $GITHUB_ENV
echo "version=$(node -p "require('${PACKAGE_PATH}package.json').version")" >> $GITHUB_ENV
fi

Check warning

Code scanning / CodeQL

Environment variable built from user-controlled sources Medium

Potential environment variable injection in
PACKAGE_FILE="${PACKAGE_PATH}package.json"if [[ -f "$PACKAGE_FILE" ]]; thenecho "version=$(node -p "require('${PACKAGE_PATH}package.json').version")" >> $GITHUB_ENVfi
Loading
, which may be controlled by an external user.
shell: bash

- name: Bump Package Version
Expand All @@ -100,9 +107,11 @@
- name: Push New Version
if: ${{ inputs.semver != 'skip' }}
shell: bash
env:
PACKAGE_PATH: ${{ inputs.package_path }}
run: |
contents="$(jq '.version = "${{ steps.semver.outputs.new_version }}"' package.json)"
echo -E "${contents}" > package.json
contents="$(jq '.version = "${{ steps.semver.outputs.new_version }}"' ${PACKAGE_PATH}package.json)"

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${ steps.semver.outputs.new_version }
Loading
, which may be controlled by an external user.

Copilot Autofix

AI 30 days ago

The best way to fix this problem is to avoid directly interpolating untrusted values (such as ${{ steps.semver.outputs.new_version }}) into shell scripts or commands, especially when using double quotes or here-documents. Instead, assign expressions like ${{ steps.semver.outputs.new_version }} to an environment variable using the env: block, and then reference that variable within your shell script using the shell's native syntax (e.g., $NEW_VERSION). This prevents shell interpretation of potentially malicious input and adheres to GitHub's safe usage guidelines.
Specifically, in file node-release/action.yml, edit the block for "Push New Version".

  • In the step starting at line 107, update the env: block to include NEW_VERSION: ${{ steps.semver.outputs.new_version }}.
  • Then, update line 113 to reference $NEW_VERSION within single quotes in the jq command: jq '.version = "'$NEW_VERSION'"' ....
Suggested changeset 1
node-release/action.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/node-release/action.yml b/node-release/action.yml
--- a/node-release/action.yml
+++ b/node-release/action.yml
@@ -109,17 +109,18 @@
       shell: bash
       env:
         PACKAGE_PATH: ${{ inputs.package_path }}
+        NEW_VERSION: ${{ steps.semver.outputs.new_version }}
       run: |
-        contents="$(jq '.version = "${{ steps.semver.outputs.new_version }}"' ${PACKAGE_PATH}package.json)"
+        contents="$(jq '.version = "'$NEW_VERSION'"' ${PACKAGE_PATH}package.json)"
         echo -E "${contents}" > ${PACKAGE_PATH}package.json
   
         git add .
         git config --global user.email "[email protected]"
         git config --global user.name "pagopa-github-bot"
         if [ "${{ inputs.skip_ci }}" = "true" ]; then
-            git commit -m "Bump to version ${{ steps.semver.outputs.new_version }} [skip ci]" || exit 0
+            git commit -m "Bump to version $NEW_VERSION [skip ci]" || exit 0
           else
-            git commit -m "Bump to version ${{ steps.semver.outputs.new_version }}" || exit 0
+            git commit -m "Bump to version $NEW_VERSION" || exit 0
         fi
         git push origin ${{ github.ref_name}}
 
EOF
@@ -109,17 +109,18 @@
shell: bash
env:
PACKAGE_PATH: ${{ inputs.package_path }}
NEW_VERSION: ${{ steps.semver.outputs.new_version }}
run: |
contents="$(jq '.version = "${{ steps.semver.outputs.new_version }}"' ${PACKAGE_PATH}package.json)"
contents="$(jq '.version = "'$NEW_VERSION'"' ${PACKAGE_PATH}package.json)"
echo -E "${contents}" > ${PACKAGE_PATH}package.json

git add .
git config --global user.email "[email protected]"
git config --global user.name "pagopa-github-bot"
if [ "${{ inputs.skip_ci }}" = "true" ]; then
git commit -m "Bump to version ${{ steps.semver.outputs.new_version }} [skip ci]" || exit 0
git commit -m "Bump to version $NEW_VERSION [skip ci]" || exit 0
else
git commit -m "Bump to version ${{ steps.semver.outputs.new_version }}" || exit 0
git commit -m "Bump to version $NEW_VERSION" || exit 0
fi
git push origin ${{ github.ref_name}}

Copilot is powered by AI and may make mistakes. Always verify output.
echo -E "${contents}" > ${PACKAGE_PATH}package.json

git add .
git config --global user.email "[email protected]"
Expand Down
Loading