@@ -107,9 +107,75 @@ runs:
107107 using : composite
108108 steps :
109109 - id : output_sha
110- if : ${{ !cancelled() }}
110+ if : ${{ (github.repository == 'reactive-firewall-org/multicast') && !cancelled() }}
111+ env :
112+ CI_INPUT_TARGET_SHA : ' ${{ inputs.sha }}'
111113 shell : bash
112- run : printf "sha=%s\n" $(git rev-parse --verify '${{ inputs.sha }}') >> "$GITHUB_OUTPUT"
114+ run : |
115+ set -euo pipefail
116+
117+ raw_input="${CI_INPUT_TARGET_SHA}"
118+
119+ # Reject NUL or newline immediately
120+ if printf '%s' "$raw_input" | grep -q '[^[:print:]]'; then
121+ printf "::error title='Invalid':: %s\n" "Error: input contains disallowed control characters" >&2
122+ exit 1
123+ fi
124+
125+ # Strip one level of surrounding quotes and trim whitespace
126+ normalize() {
127+ local s="$1"
128+ s="${s#"${s%%[![:space:]]*}"}"
129+ s="${s%"${s##*[![:space:]]}"}"
130+ if [[ (${s:0:1} == "'" && ${s: -1} == "'") || (${s:0:1} == '"' && ${s: -1} == '"') ]]; then
131+ s="${s:1:-1}"
132+ fi
133+ printf '%s' "$s"
134+ }
135+ input="$(normalize "$raw_input")"
136+
137+ # Reject inputs starting with '-' (options)
138+ if [[ "${input:0:1}" == "-" ]]; then
139+ printf "::error title='Invalid':: %s\n" "Error: input may not start with '-'" >&2
140+ exit 1
141+ fi
142+
143+ # If it's a 40-char SHA, accept directly
144+ if [[ "$input" =~ ^[0-9a-f]{40}$ ]]; then
145+ resolved_sha="$input"
146+ else
147+ # Try explicit namespaces in order: full refs, refs/heads/, refs/tags/, then bare branch/tag
148+ resolved_sha=""
149+ # 1) If input is a full ref path starting with refs/, resolve only that
150+ if [[ "$input" == refs/* ]]; then
151+ if git rev-parse --verify "$input" >/dev/null 2>&1; then
152+ resolved_sha="$(git rev-parse --verify "$input")"
153+ else
154+ printf "::error title='Invalid':: %s\n" "Error: ref not found: $input" >&2
155+ exit 1
156+ fi
157+ else
158+ # 2) Try refs/heads/<input>
159+ if git rev-parse --verify "refs/heads/$input" >/dev/null 2>&1; then
160+ resolved_sha="$(git rev-parse --verify "refs/heads/$input")"
161+ # 3) Try refs/tags/<input>
162+ elif git rev-parse --verify "refs/tags/$input" >/dev/null 2>&1; then
163+ resolved_sha="$(git rev-parse --verify "refs/tags/$input")"
164+ else
165+ printf "::error title='Invalid':: %s\n" "Error: no matching branch or tag found for: $input" >&2
166+ exit 1
167+ fi
168+ fi
169+ fi
170+
171+ # Ensure final resolved value is a full 40-char commit SHA
172+ if [[ ! "$resolved_sha" =~ ^[0-9a-f]{40}$ ]]; then
173+ printf "::error title='Invalid':: %s\n" "Error: resolved value is not a full commit SHA" >&2
174+ exit 1
175+ fi
176+
177+ printf "sha=%s\n" "$resolved_sha" >> "$GITHUB_OUTPUT"
178+
113179id : output_uuid
114180 if : ${{ !cancelled() && (inputs.check-id == '') }}
115181 shell : bash
@@ -128,7 +194,7 @@ runs:
128194 if : ${{ !cancelled() && (github.repository == 'reactive-firewall-org/multicast') }}
129195 shell : bash
130196 run : |
131- if [[ "${{ inputs.details-url }}" != "" ]] ; then
197+ if [[ "${{ inputs.details-url }}" != "DEFAULT " ]] ; then
132198 printf "details_url=%s\n" '${{ inputs.details-url }}' >> "$GITHUB_OUTPUT"
133199 printf "::debug:: %s\n" "Check detail url was provided: ${{ inputs.details-url }}" ;
134200 else
@@ -151,17 +217,28 @@ runs:
151217 shell : bash
152218 env :
153219 GH_TOKEN : ${{ inputs.token }}
220+ CHECK_NAME_INPUT : ' ${{ inputs.name }}'
221+ CHECK_TITLE_INPUT : ' ${{ inputs.title || inputs.name }}'
154222 run : |
223+ printf "%s\n" "::group::validate-name"
224+ name_input=${CHECK_NAME_INPUT}
225+ printf "::debug:: %s\n" "Will use name $name_input" ;
226+ printf "%s\n" "::endgroup::"
227+ printf "%s\n" "::group::validate-title"
228+ title_input=${CHECK_TITLE_INPUT}
229+ printf "::debug:: %s\n" "Will use name $title_input" ;
230+ sanitized_input_title_field=$(printf "%s%s" 'output[title]=' "$title_input" ;)
231+ printf "%s\n" "::endgroup::"
155232 printf "%s\n" "::group::create-new-check"
156233 # GitHub CLI api
157234 # https://cli.github.com/manual/gh_api
158235 CHECK_ID=$(gh api --method POST -H "Accept: application/vnd.github+json" \
159236 /repos/reactive-firewall-org/multicast/check-runs \
160- -f "name=${{ inputs.name }} " -f "head_sha=${{ steps.output_sha.outputs.sha }}" \
161- -f " status=${{ inputs.status }}" -f "external_id=${{ steps.output_uuid.outputs.uuid }}" \
237+ -f "name=$name_input " -f "head_sha=${{ steps.output_sha.outputs.sha }}" \
238+ -f ' status=${{ inputs.status }}' -f "external_id=${{ steps.output_uuid.outputs.uuid }}" \
162239 -f "started_at=${{ steps.output_date.outputs.check_date }}Z" \
163240 -f "details_url=${{ steps.output_check_details_url.outputs.details_url }}" \
164- -f 'output[title]=${{ inputs.title }}' \
241+ -f "$sanitized_input_title_field" \
165242 -f 'output[summary]=' -f 'output[text]=' --jq '.id');
166243 printf "check_id=%s\n" "${CHECK_ID}" >> "$GITHUB_OUTPUT"
167244 printf "%s\n" "::endgroup::"
@@ -171,17 +248,28 @@ runs:
171248 shell : bash
172249 env :
173250 GH_TOKEN : ${{ inputs.token }}
251+ CHECK_NAME_INPUT : ' ${{ inputs.name }}'
252+ CHECK_TITLE_INPUT : ' ${{ inputs.title || inputs.name }}'
174253 run : |
254+ printf "%s\n" "::group::validate-name"
255+ name_input=${CHECK_NAME_INPUT}
256+ printf "::debug:: %s\n" "Will use name $name_input" ;
257+ printf "%s\n" "::endgroup::"
258+ printf "%s\n" "::group::validate-title"
259+ title_input=${CHECK_TITLE_INPUT}
260+ printf "::debug:: %s\n" "Will use name $title_input" ;
261+ sanitized_input_title_field=$(printf "%s%s" 'output[title]=' "$title_input" ;)
262+ printf "%s\n" "::endgroup::"
175263 printf "%s\n" "::group::update-new-check"
176264 # GitHub CLI api
177265 # https://cli.github.com/manual/gh_api
178266 CHECK_ID=$(gh api --method POST -H "Accept: application/vnd.github+json" \
179267 /repos/reactive-firewall-org/multicast/check-runs \
180- -f "name=${{ inputs.name }} " -f "head_sha=${{ steps.output_sha.outputs.sha }}" \
268+ -f "name=$name_input " -f "head_sha=${{ steps.output_sha.outputs.sha }}" \
181269 -f "status=in_progress" -f "external_id=${{ steps.output_uuid.outputs.uuid }}" \
182270 -f "started_at=${{ steps.output_date.outputs.check_date }}Z" \
183271 -f "details_url=${{ steps.output_check_details_url.outputs.details_url }}" \
184- -f 'output[title]=${{ inputs.title }}' \
272+ -f "$sanitized_input_title_field" \
185273 -f 'output[summary]=Check is in progress.' -f 'output[text]=' --jq '.id');
186274 printf "check_id=%s\n" "${CHECK_ID}" >> "$GITHUB_OUTPUT"
187275 printf "%s\n" "::endgroup::"
@@ -215,16 +303,27 @@ runs:
215303 shell : bash
216304 env :
217305 GH_TOKEN : ${{ inputs.token }}
306+ CHECK_NAME_INPUT : ' ${{ inputs.name }}'
307+ CHECK_TITLE_INPUT : ' ${{ inputs.title || inputs.name }}'
218308 run : |
309+ printf "%s\n" "::group::validate-name"
310+ name_input=${CHECK_NAME_INPUT}
311+ printf "::debug:: %s\n" "Will use name $name_input" ;
312+ printf "%s\n" "::endgroup::"
313+ printf "%s\n" "::group::validate-title"
314+ title_input=${CHECK_TITLE_INPUT}
315+ printf "::debug:: %s\n" "Will use name $title_input" ;
316+ sanitized_input_title_field=$(printf "%s%s" 'output[title]=' "$title_input" ;)
317+ printf "%s\n" "::endgroup::"
219318 printf "%s\n" "::group::update-check"
220319 # GitHub CLI api
221320 # https://cli.github.com/manual/gh_api
222321 gh api --method PATCH -H "Accept: application/vnd.github+json" \
223322 /repos/reactive-firewall-org/multicast/check-runs/${{ steps.output_check_id.outputs.check_id }} \
224- -f "name=${{ inputs.name }} " -f "head_sha=${{ steps.output_sha.outputs.sha }}" \
323+ -f "name=$name_input " -f "head_sha=${{ steps.output_sha.outputs.sha }}" \
225324 -f "status=${{ inputs.status }}" \
226325 -f "details_url=${{ steps.output_check_details_url.outputs.details_url }}" \
227- -f 'output[title]=${{ inputs.title }}' \
326+ -f "$sanitized_input_title_field" \
228327 -f 'output[summary]=${{ inputs.summary }}' -f 'output[text]=${{ inputs.text }}'
229328 printf "%s\n" "::endgroup::"
230329name : " Update Check"
@@ -233,17 +332,28 @@ runs:
233332 shell : bash
234333 env :
235334 GH_TOKEN : ${{ inputs.token }}
335+ CHECK_NAME_INPUT : ' ${{ inputs.name }}'
336+ CHECK_TITLE_INPUT : ' ${{ inputs.title || inputs.name }}'
236337 run : |
338+ printf "%s\n" "::group::validate-name"
339+ name_input=${CHECK_NAME_INPUT}
340+ printf "::debug:: %s\n" "Will use name $name_input" ;
341+ printf "%s\n" "::endgroup::"
342+ printf "%s\n" "::group::validate-title"
343+ title_input=${CHECK_TITLE_INPUT}
344+ printf "::debug:: %s\n" "Will use name $title_input" ;
345+ sanitized_input_title_field=$(printf "%s%s" 'output[title]=' "$title_input" ;)
346+ printf "%s\n" "::endgroup::"
237347 printf "%s\n" "::group::complete-check"
238348 # GitHub CLI api
239349 # https://cli.github.com/manual/gh_api
240350 gh api --method PATCH -H "Accept: application/vnd.github+json" \
241351 /repos/reactive-firewall-org/multicast/check-runs/${{ steps.output_check_id.outputs.check_id }} \
242- -f "name=${{ inputs.name }} " -f "head_sha=${{ steps.output_sha.outputs.sha }}" \
352+ -f "name=$name_input " -f "head_sha=${{ steps.output_sha.outputs.sha }}" \
243353 -f "status=completed" -f "conclusion=${{ inputs.conclusion }}" \
244354 -f "completed_at=${{ steps.output_date.outputs.check_date }}Z" \
245355 -f "details_url=${{ steps.output_check_details_url.outputs.details_url }}" \
246- -f 'output[title]=${{ inputs.title }}' \
356+ -f "$sanitized_input_title_field" \
247357 -f 'output[summary]=${{ inputs.summary }}' -f 'output[text]=${{ inputs.text }}'
248358 printf "%s\n" "::endgroup::"
249359name : " Report outcome of checks API"
0 commit comments