Skip to content

Normalize WordPress.org deploy version from release tag#1791

Closed
pattonwebz wants to merge 1 commit into
developfrom
chore/normalize-dotorg-release-version
Closed

Normalize WordPress.org deploy version from release tag#1791
pattonwebz wants to merge 1 commit into
developfrom
chore/normalize-dotorg-release-version

Conversation

@pattonwebz

@pattonwebz pattonwebz commented Jun 23, 2026

Copy link
Copy Markdown
Member

Summary

  • add a release-version normalization step in the dotorg deploy workflow
  • strip leading and trailing 'v' characters from the release tag before passing VERSION

Why

A release tag containing a v prefix/suffix produced an incorrect WordPress.org SVN tag.

Summary by CodeRabbit

  • Chores
    • Improved release deployment workflow to normalize version formatting, ensuring consistent and reliable handling of version identifiers during automated releases.

Strip a leading or trailing 'v' from release tag_name before passing VERSION to the WordPress.org deploy action.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The deploy workflow gains a new Normalize release version step that reads the release tag (falling back to GITHUB_REF_NAME), strips any leading or trailing v, and emits the result as a step output. The subsequent WordPress plugin deploy step now references that normalized output for its VERSION environment variable instead of using the raw tag name directly.

Changes

Release Version Normalization

Layer / File(s) Summary
Version normalization step and deploy wiring
.github/workflows/deploy-on-release-to-dot-org.yml
Adds a shell step that extracts and sanitizes the release tag into a version output, then updates the deploy step to source VERSION from steps.release-version.outputs.version instead of github.event.release.tag_name.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A version tag came in wearing a "v" hat,
The rabbit said "strip it, we can't have that!"
Now clean numbers flow straight to the deploy,
No prefix confusion to foil the ploy.
🐇✨ Off to dot-org it goes, hip-hip-hooray!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: adding version normalization for WordPress.org deployment from release tags.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/normalize-dotorg-release-version

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy-on-release-to-dot-org.yml:
- Line 66: The GitHub Action `10up/action-wordpress-plugin-deploy` is pinned to
the movable tag `@stable` which can change over time and introduces supply-chain
risk. Replace the `@stable` tag with a full commit SHA to pin the action to a
specific immutable version. You can find the appropriate commit SHA by checking
the action's repository releases or tags, then update the uses directive to
reference that SHA instead of the `@stable` tag.
- Around line 60-63: Add a validation check immediately after the
NORMALIZED_VERSION variable is set (after the line that echoes the version to
GITHUB_OUTPUT) to verify that NORMALIZED_VERSION is not empty. If
NORMALIZED_VERSION is empty, the script should exit with a clear error message
indicating that the tag format is invalid, preventing the deploy job from
proceeding with an empty version string. This guard should reference the
RAW_VERSION variable in the error message to help identify what tag was used.
- Around line 56-58: Remove the direct `${{ github.event.release.tag_name }}`
interpolation from the shell code in the `run` step to prevent command injection
vulnerabilities. Instead, define the RAW_VERSION value in the `env:` section of
the step using the GitHub context, then reference it in the shell code using the
standard shell variable syntax `$RAW_VERSION`. This ensures the tag content is
safely passed as an environment variable rather than being interpolated as raw
shell code where special characters could be exploited.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1965c96c-d224-41a6-a582-d6f179f6dab8

📥 Commits

Reviewing files that changed from the base of the PR and between 5d116fd and c76a14b.

📒 Files selected for processing (1)
  • .github/workflows/deploy-on-release-to-dot-org.yml

Comment on lines +56 to +58
RAW_VERSION="${{ github.event.release.tag_name }}"
if [ -z "$RAW_VERSION" ]; then
RAW_VERSION="${GITHUB_REF_NAME}"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win

Avoid direct ${{ }} interpolation inside run shell code (command-injection risk).

On Line 56, tag content is injected into shell source before execution. A crafted tag containing shell substitution syntax can execute commands in the runner context. Pass the value via env: and read it from a shell variable instead.

Suggested fix
       - name: Normalize release version
         id: release-version
+        env:
+          RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
         run: |
-          RAW_VERSION="${{ github.event.release.tag_name }}"
+          RAW_VERSION="$RELEASE_TAG_NAME"
           if [ -z "$RAW_VERSION" ]; then
             RAW_VERSION="${GITHUB_REF_NAME}"
           fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
RAW_VERSION="${{ github.event.release.tag_name }}"
if [ -z "$RAW_VERSION" ]; then
RAW_VERSION="${GITHUB_REF_NAME}"
- name: Normalize release version
id: release-version
env:
RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
run: |
RAW_VERSION="$RELEASE_TAG_NAME"
if [ -z "$RAW_VERSION" ]; then
RAW_VERSION="${GITHUB_REF_NAME}"
fi
🧰 Tools
🪛 zizmor (1.26.1)

[error] 56-56: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-on-release-to-dot-org.yml around lines 56 - 58,
Remove the direct `${{ github.event.release.tag_name }}` interpolation from the
shell code in the `run` step to prevent command injection vulnerabilities.
Instead, define the RAW_VERSION value in the `env:` section of the step using
the GitHub context, then reference it in the shell code using the standard shell
variable syntax `$RAW_VERSION`. This ensures the tag content is safely passed as
an environment variable rather than being interpolated as raw shell code where
special characters could be exploited.

Source: Linters/SAST tools

Comment on lines +60 to +63
NORMALIZED_VERSION="${RAW_VERSION#v}"
NORMALIZED_VERSION="${NORMALIZED_VERSION%v}"
echo "version=$NORMALIZED_VERSION" >> "$GITHUB_OUTPUT"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Fail fast when normalized version is empty to prevent invalid deploy tags.

If the tag is v (or empty), normalization yields an empty VERSION, and the deploy step still runs. Add a guard to stop the job with a clear error before publishing.

Suggested fix
           NORMALIZED_VERSION="${RAW_VERSION#v}"
           NORMALIZED_VERSION="${NORMALIZED_VERSION%v}"
+          if [ -z "$NORMALIZED_VERSION" ]; then
+            echo "Normalized version is empty. Check release tag format." >&2
+            exit 1
+          fi
           echo "version=$NORMALIZED_VERSION" >> "$GITHUB_OUTPUT"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-on-release-to-dot-org.yml around lines 60 - 63, Add
a validation check immediately after the NORMALIZED_VERSION variable is set
(after the line that echoes the version to GITHUB_OUTPUT) to verify that
NORMALIZED_VERSION is not empty. If NORMALIZED_VERSION is empty, the script
should exit with a clear error message indicating that the tag format is
invalid, preventing the deploy job from proceeding with an empty version string.
This guard should reference the RAW_VERSION variable in the error message to
help identify what tag was used.


- name: WordPress plugin deploy
id: deploy
uses: 10up/action-wordpress-plugin-deploy@stable

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin third-party GitHub Action to a full commit SHA.

Line 66 uses a movable tag (@stable). Pinning to an immutable SHA is required to prevent supply-chain drift in release workflows.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 66-66: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-on-release-to-dot-org.yml at line 66, The GitHub
Action `10up/action-wordpress-plugin-deploy` is pinned to the movable tag
`@stable` which can change over time and introduces supply-chain risk. Replace
the `@stable` tag with a full commit SHA to pin the action to a specific
immutable version. You can find the appropriate commit SHA by checking the
action's repository releases or tags, then update the uses directive to
reference that SHA instead of the `@stable` tag.

Source: Linters/SAST tools

@pattonwebz

Copy link
Copy Markdown
Member Author

Closing as superseded: develop already contains d9e4de8 ("fix: strip leading v from release tag before using as SVN version"), which landed after this branch was cut and does the same core normalization — that competing edit at the same spot in the workflow is also why this PR shows a merge conflict.

The two extras here don't survive scrutiny:

  • The GITHUB_REF_NAME fallback for empty tag names (real on workflow_dispatch runs) would pass a branch name like "main" as the deploy VERSION, creating a bogus SVN tag — worse than the empty VERSION the 10up action handles by deriving the version from the plugin file.
  • The trailing-v strip has no real-world input.

If we want to harden the manual-dispatch path, that should be a small separate PR that derives the version from the plugin header (or fails loudly) rather than falling back to the ref name.

@pattonwebz pattonwebz closed this Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant