fix(ci): quote release tags in generated github workflows#2387
Conversation
I missed that the contact email still references the axo.dev domain; I'll get that fixed. Thanks for flagging this. |
|
We've reviewed this and concluded that we don't believe this is a security issue. Creating a git tag is already a privileged operation; someone with the ability to create a tag in a repo doesn't need to abuse shell injection in order to do something. Regarding the change to |
Tested and works. That said, I'm happy to split the least privilege permissions change out if you'd prefer this PR stay focused only on the tag handling. |
Will respect whatever classification you folks land on here. My thinking is that in a compromised token or supply chain scenario, an attacker may get enough access to push a tag without being able to modify protected branches or reviewed workflow code. The generated workflow should ideally preserve that boundary by passing the tag as data to |
Summary
This hardens generated GitHub release workflows by passing release tags as data instead of shell command fragments.
Previously the generated workflow built
--tag=...fragments from GitHub tag inputs/refs and interpolated them intorun:shell scripts. This PR changes those paths to use environment variables plus quoted bash argv arrays before invokingdist.It also scopes the default workflow permission from root-level
contents: writeto root-levelcontents: read, with write permissions added only to publishing jobs that need them.I tried to report this through the private contact path first, but the listed email address bounced.
Validation
cargo check -p cargo-distcargo fmtcargo test -p cargo-dist tag --libcargo test -p cargo-dist --test integration-tests -- --test-threads=1cargo clippy --all-targets -- -D warningsgit diff --checkI also generated a downstream workflow from this branch and confirmed the unsafe tag interpolation patterns were gone.