Skip to content

chore: fix-publish-steps #551

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ryanbas21 merged 2 commits into from
Apr 21, 2026
Merged

chore: fix-publish-steps #551

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
aae9678
chore: fix-publish-steps
ryanbas21 Mar 19, 2026
262bb12
fix: remove dead inputs.branch guard conditions from snapshot job
ryanbas21 Apr 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/actions/publish-beta/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ runs:

- name: Run Builds
shell: bash
run: pnpm nx run-many -t build --no-agents
run: pnpm nx run-many -t build --no-agents --skip-nx-cache

- name: Generate API Docs
shell: bash
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/publish-release/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ runs:

- name: Run Builds
shell: bash
run: pnpm nx run-many -t build --no-agents
run: pnpm nx run-many -t build --no-agents --skip-nx-cache

- name: Generate API Docs
shell: bash
Expand Down
28 changes: 19 additions & 9 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,19 +6,19 @@ on:
workflow_dispatch:
inputs:
snapshot_tag:
description: 'changesets snapshot tag (beta/canary)'
description: "changesets snapshot tag (beta/canary)"
required: false
default: 'beta'
default: "beta"
type: string
npm_tag:
description: 'npm dist-tag for publishing snapshot'
description: "npm dist-tag for publishing snapshot"
required: false
default: 'beta'
default: "beta"
type: string
npm_access:
description: 'access level for publishing snapshot to npm'
description: "access level for publishing snapshot to npm"
required: false
default: 'public'
default: "public"
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Expect no raw `${{ inputs.* }}` interpolation directly inside shell commands.
rg -n -C2 '\brun:\s*.*\$\{\{\s*inputs\.' .github/workflows/publish.yml || true
rg -n -C2 '\$\{\{\s*inputs\.(snapshot_tag|npm_tag|npm_access)\s*\}\}' .github/workflows/publish.yml

Repository: ForgeRock/ping-javascript-sdk

Length of output: 1388

Avoid interpolating dispatch inputs directly into shell commands.

snapshot_tag and npm_tag are free-form strings expanded directly in run commands at lines 135 and 141, creating a shell injection vulnerability. Pass them via env and quote the shell variables.

Proposed fix 
       - name: Version Packages for snapshot
-        run: pnpm changeset version --snapshot ${{ inputs.snapshot_tag }}
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          SNAPSHOT_TAG: ${{ inputs.snapshot_tag }}
+        run: pnpm changeset version --snapshot "$SNAPSHOT_TAG"
 
       - name: Publish packages snapshot with npm_tag
         id: npmpublish
-        run: pnpm publish -r --tag ${{ inputs.npm_tag }} --no-git-checks --access ${{ inputs.npm_access }}
+        env:
+          NPM_TAG: ${{ inputs.npm_tag }}
+          NPM_ACCESS: ${{ inputs.npm_access }}
+        run: pnpm publish -r --tag "$NPM_TAG" --no-git-checks --access "$NPM_ACCESS"
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish.yml around lines 8 - 21, Inputs snapshot_tag and
npm_tag are being interpolated directly into run commands (creating a shell
injection risk); instead, expose them via the step's env block (e.g. set env:
SNAPSHOT_TAG: ${{ github.event.inputs.snapshot_tag }} and NPM_TAG: ${{
github.event.inputs.npm_tag }}) and then use the quoted shell variables inside
the run script ("$SNAPSHOT_TAG" and "$NPM_TAG"); update the steps that currently
reference snapshot_tag and npm_tag inline to read from these env vars and ensure
you quote them in all shell uses.

type: choice
options:
- public
Expand Down Expand Up @@ -61,7 +61,7 @@ jobs:
version: pnpm ci:version
title: Release PR
branch: main
commit: 'chore: version-packages'
commit: "chore: version-packages"
setupGitUser: true
env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
Expand Down Expand Up @@ -94,8 +94,18 @@ jobs:
retention-days: 30

snapshot:
if: ${{ github.event_name == 'workflow_dispatch' }}
name: Publish snapshot/beta to npm
# Guard against publishing snapshots from the protected release branch.
# Both github.ref (the branch selected in the UI) and inputs.branch (the
# free-text checkout ref) must be checked, since they are independent values
# and the checkout step uses inputs.branch directly.
if: >-
${{
github.event_name == 'workflow_dispatch' &&
github.ref != 'refs/heads/changeset-release/main' &&
github.event.inputs.branch != 'changeset-release/main' &&
github.event.inputs.branch != 'refs/heads/changeset-release/main'
}}
name: Publish Snapshots
Comment thread
coderabbitai[bot] marked this conversation as resolved.
permissions:
contents: write
id-token: write
Expand Down
3 changes: 2 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,4 +93,5 @@ GEMINI.md
**/GEMINI.md

.claude/worktrees
.claude/settings.local.json
.claude/settings.local.json
.opensource
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"scripts": {
"build": "nx sync && nx affected --target=build",
"changeset": "changeset",
"ci:release": "pnpm nx run-many -t build --no-agents && pnpm publish -r --no-git-checks && changeset tag",
"ci:release": "pnpm nx run-many -t build --no-agents --skip-nx-cache && pnpm publish -r --no-git-checks && changeset tag",
"ci:version": "changeset version && pnpm install --no-frozen-lockfile && pnpm nx format:write --uncommitted",
"circular-dep-check": "madge --circular .",
"clean": "shx rm -rf ./{coverage,dist,docs,node_modules,tmp}/ ./{packages,e2e}/*/{dist,node_modules}/ ./e2e/node_modules/ && git clean -fX -e \"!.env*,nx-cloud.env\" -e \"!**/GEMINI.md\"",
Expand Down
Loading