fix: invalid version bump and body generation

[ruromero]

PR Type

Bug fix

---

Description

• Remove premature release:update-versions call before tag creation

• Use commit SHA instead of branch name for release tag target

• Move version bump to separate step after tag creation

• Fix PR body generation by using environment variable

---

Diagram Walkthrough

flowchart LR
  A["Set Release Version"] --> B["Get Version"]
  B --> C["Create Release Branch"]
  C --> D["Capture Commit SHA"]
  D --> E["Create GitHub Release Tag"]
  E --> F["Bump to Next Dev Version"]
  F --> G["Create Pull Request"]

Loading

File Walkthrough

Relevant files

Bug fix

release.yaml Fix release workflow version bumping and tag creation        .github/workflows/release.yaml Removed mvn release:update-versions from initial version setup step Added id: release_branch to capture commit SHA for accurate tag targeting Changed target_commitish from branch name to commit SHA reference Moved release:update-versions to new "Bump to next development version" step Refactored PR body generation to use environment variable instead of heredoc Reorganized step order to ensure proper version bumping sequence +15/-9

---

[qodo-code-review]

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Shell injection Description: Potential shell command injection: the workflow interpolates ${{ github.event.inputs.version }} directly into a run: shell command without quoting/sanitization (-DnewVersion=${{ github.event.inputs.version }}), which could allow a crafted input (e.g., containing shell metacharacters) to execute arbitrary commands in the runner if an attacker can trigger the workflow with controlled inputs. release.yaml [44-48] Referred Code if [ -n "${{ github.event.inputs.version }}" ]; then mvn -B versions:set -DnewVersion=${{ github.event.inputs.version }} -DgenerateBackupPoms=false else mvn -B versions:set -DremoveSnapshot -DgenerateBackupPoms=false fi
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Unhandled git commit failure: The workflow runs git commit without handling the common “nothing to commit” edge case, which can fail the job and halt the release process. Referred Code git add -A git commit -m "build(release): bump to next development version" git push origin "release/v${{ steps.version.outputs.version }}" Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unvalidated version input: The workflow passes the external input ${{ github.event.inputs.version }} directly into a Maven CLI argument without visible validation/quoting, which could allow malformed values to break the command or alter argument parsing. Referred Code if [ -n "${{ github.event.inputs.version }}" ]; then mvn -B versions:set -DnewVersion=${{ github.event.inputs.version }} -DgenerateBackupPoms=false else mvn -B versions:set -DremoveSnapshot -DgenerateBackupPoms=false fi Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Make pull request creation idempotent Add the --fill flag to the gh pr create command to prevent failures on re-runs by updating an existing pull request instead of attempting to create a new one. .github/workflows/release.yaml [94-108] - name: Create Pull Request for release + next version env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_BODY: | This PR contains the following changes: 1. Release version bump to ${{ steps.version.outputs.version }}. 2. Filtered resources (docs, JS) updated to reflect the release version. 3. Next development version bump after the release. run: | gh pr create \ --title "build(release): release ${{ steps.version.outputs.version }} and bump to next development version" \ --body "$PR_BODY" \ --base main \ - --head "release/v${{ steps.version.outputs.version }}" + --head "release/v${{ steps.version.outputs.version }}" \ + --fill Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies a potential failure point in the workflow and proposes using --fill to make the PR creation step idempotent, which significantly improves its robustness.	Medium
General	skip CI on bump commit Add [skip ci] to the commit message for the version bump to prevent triggering a redundant CI workflow run. .github/workflows/release.yaml [91] -git commit -m "build(release): bump to next development version" +git commit -m "build(release): bump to next development version [skip ci]" Apply / Chat Suggestion importance[1-10]: 6 __ Why: This is a valid and useful suggestion to prevent unnecessary CI runs, as the commit is made by the workflow itself on a branch that is immediately used for a pull request.	Low
	disable Maven backup POM generation Add the -DgenerateBackupPoms=false flag to the mvn release:update-versions command to avoid creating unnecessary backup pom.xml files. .github/workflows/release.yaml [87-89] - name: Bump to next development version run: | - mvn -B release:update-versions + mvn -B release:update-versions -DgenerateBackupPoms=false Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion correctly points out that mvn release:update-versions creates backup POM files, and adding -DgenerateBackupPoms=false prevents this, which is good practice in a CI environment and consistent with other commands in the file.	Low
Update