Skip to content

chore: [SDK-4534] harden release workflow input handling#1462

Merged
fadi-george merged 1 commit into
mainfrom
fadi/sdk-4534
May 13, 2026
Merged

chore: [SDK-4534] harden release workflow input handling#1462
fadi-george merged 1 commit into
mainfrom
fadi/sdk-4534

Conversation

@fadi-george
Copy link
Copy Markdown
Contributor

@fadi-george fadi-george commented May 13, 2026
edited
Loading

Description

1 Line Summary

Harden create-release-pr.yml by routing step outputs through env: and adding a least-privilege permissions: block.

Details

Internal hardening pass on the release workflow. See SDK-4534 for context.

Changes

  • Added a top-level permissions: block scoped to contents: write + pull-requests: write.
  • Replaced inline ${{ steps.*.outputs.* }} interpolation inside run: and actions/github-script script: bodies with per-step env: mappings, referenced as $VAR (bash) or process.env.VAR (JS).
  • Kept the release-notes heredoc as << 'EOF' and added a comment so the quoting is preserved.

Systems Affected

  • WebSDK
  • Backend
  • Dashboard

Validation

Tests

Info

No automated coverage for workflow files. Verified by re-grep: every remaining ${{ steps.*.outputs.* }} reference now lives in an env: key or inside the quoted heredoc. Bash logic in Calculate new version and JS in Generate release notes are functionally unchanged.

Checklist

  • All the automated tests pass or I explained why that is not possible
  • I have personally tested this on my machine or explained why that is not possible
  • I have included test coverage for these changes or explained why they are not needed

Screenshots

Info

N/A, workflow change.

Checklist

  • I have included screenshots/recordings of the intended results or explained why they are not needed

Related Tickets

@fadi-george fadi-george changed the title fix: [SDK-4534] prevent shell injection via PR titles in release workflow chore: [SDK-4534] harden release workflow input handling May 13, 2026
@fadi-george fadi-george requested a review from sherwinski May 13, 2026 21:45
sherwinski
sherwinski approved these changes May 13, 2026
View reviewed changes
Comment thread .github/workflows/create-release-pr.yml Outdated
claude[bot]

This comment was marked as off-topic.

Sign in to view

@fadi-george @cursoragent
chore: [SDK-4534] harden release workflow input handling
7c5e483 
Route step outputs through env: instead of inline interpolation in
run: and actions/github-script script: bodies, and add a least-privilege
top-level permissions: block.

Co-authored-by: Cursor <cursoragent@cursor.com>
@fadi-george fadi-george merged commit 3a6c069 into main May 13, 2026
2 checks passed
@fadi-george fadi-george deleted the fadi/sdk-4534 branch May 13, 2026 22:08
@github-actions github-actions Bot mentioned this pull request May 19, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@sherwinski sherwinski sherwinski approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fadi-george @sherwinski