Skip to content
Release

[Security] Fix command injection in treeKill utility #5720

Sign in to view logs

[Security] Fix command injection in treeKill utility

[Security] Fix command injection in treeKill utility #5720

Workflow file for this run

.github/workflows/release.yml at f036539
name: Release
on:
# Trigger for snapit functionality
issue_comment:
types:
- created
# Trigger for changeset release functionality
push:
branches:
- main
- stable/*
# Trigger for manual/cron release functionality
schedule:
- cron: '0 6 * * *' # 6:00 AM UTC every day
workflow_dispatch:
inputs:
tag:
description: 'Tag'
default: 'nightly'
type: choice
options:
- nightly
- latest
- experimental
concurrency:
group: changeset-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
env:
PNPM_VERSION: '10.11.1'
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs:
# Snapit job - runs when /snapit comment is made on a PR
snapit:
name: Snapit
if: ${{ github.event_name == 'issue_comment' && github.event.issue.pull_request && github.event.comment.body == '/snapit' }}
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
id-token: write
steps:
# WARNING: DO NOT RUN ANY CUSTOM LOCAL SCRIPT BEFORE RUNNING THE SNAPIT ACTION
# This action can be executed by 3rd party users and it should not be able to run arbitrary code from a PR.
- name: Checkout current branch
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup deps
uses: ./.github/actions/setup-cli-deps
with:
node-version: 24.12.0
- name: Force snapshot changeset
run: "mv .changeset/force-snapshot-build.md.ignore .changeset/force-snapshot-build.md"
- name: Create snapshot version
uses: Shopify/snapit@0fec17dd6a0ae66f2672738dc8086f394218436c # registry-and-package-manager
with:
comment_is_global: 'true'
comment_packages: '@shopify/cli'
comment_suffix: "
> [!CAUTION]
> After installing, validate the version by running `shopify version` in your terminal.
> If the versions don't match, you might have multiple global instances installed.
> Use `which shopify` to find out which one you are running and uninstall it."
comment_command_flags: '--@shopify:registry=https://registry.npmjs.org'
build_script: "node bin/update-cli-kit-version.js && pnpm nx run-many --target=bundle --all --skip-nx-cache --output-style=stream && pnpm refresh-manifests"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ''
NPM_CONFIG_PROVENANCE: true
SHOPIFY_CLI_BUILD_REPO: ${{ github.repository }}
# Changeset release job - runs on push to main or stable branches
changeset-release:
name: Changeset Release
if: ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.event.inputs.tag == '') }}
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
id-token: write
steps:
- uses: actions/checkout@v3
# This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
with:
fetch-depth: 0
- name: Setup deps
uses: ./.github/actions/setup-cli-deps
with:
node-version: 24.12.0
- name: Create Release Pull Request
id: changesets
uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1
with:
version: pnpm changeset-manifests
title: Version Packages - ${{ github.ref_name }}
createGithubReleases: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Publish packages
if: steps.changesets.outputs.hasChangesets == 'false'
run: pnpm release latest
env:
NPM_TOKEN: ''
NPM_CONFIG_PROVENANCE: true
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SHOPIFY_CLI_BUILD_REPO: ${{ github.repository }}
- name: Get version
id: version
if: steps.changesets.outputs.hasChangesets == 'false'
run: |
VERSION=$(node -p "require('./packages/cli/package.json').version")
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
echo "Version: $VERSION"
- name: Create tag
if: steps.changesets.outputs.hasChangesets == 'false'
env:
TAG: ${{ steps.version.outputs.version }}
run: |
set -euo pipefail
if git ls-remote --exit-code --tags origin "$TAG" >/dev/null 2>&1; then
echo "Tag $TAG already exists, skipping"
exit 0
fi
git tag "$TAG"
git push origin "$TAG"
echo "Created tag $TAG"
- name: Create stable branch
if: steps.changesets.outputs.hasChangesets == 'false' && github.ref_name == 'main' && endsWith(steps.version.outputs.version, '.0')
env:
VERSION: ${{ steps.version.outputs.version }}
run: |
set -euo pipefail
MINOR=${VERSION%.0}
BRANCH="stable/$MINOR"
if git ls-remote --exit-code --heads origin "$BRANCH" >/dev/null 2>&1; then
echo "Branch $BRANCH already exists, skipping"
exit 0
fi
git push origin "HEAD:refs/heads/$BRANCH"
echo "Created branch $BRANCH"
- name: Create GitHub release
if: steps.changesets.outputs.hasChangesets == 'false'
env:
TAG: ${{ steps.version.outputs.version }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
if gh release view "$TAG" >/dev/null 2>&1; then
echo "Release $TAG already exists, skipping"
exit 0
fi
gh release create "$TAG" \
--title "$TAG" \
--generate-notes \
--latest=legacy
echo "Created release $TAG"
# Manual/Cron release job - runs on schedule or manual trigger with tag
manual-cron-release:
name: Manual & Cron Release
if: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.tag != '') }}
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
id-token: write
steps:
- uses: actions/checkout@v3
# This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
with:
fetch-depth: 0
- name: Setup deps
uses: ./.github/actions/setup-cli-deps
with:
node-version: 24.12.0
- name: Release
run: pnpm release ${{ github.event.inputs.tag || 'nightly' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ''
NPM_CONFIG_PROVENANCE: true
SHOPIFY_CLI_BUILD_REPO: ${{ github.repository }}