Security Hardening: Replace execSync with execFileSync in release patch script

[S3DFX-CYBER]

Summary

• Fixed scripts/releasing/create-patch-pr.js to stop using shell-interpolated execSync and instead execute commands with execFileSync through shared helpers (runCommand, runGit), which now pass command arguments as arrays for safer execution.
• Added commit SHA validation (7-40 hex chars) before running cherry-pick operations to harden input handling.
• Updated all relevant git/gh/node command paths (branch checks, cherry-pick flow, PR creation, release-version lookup, and dry-run output) to use argument-based execution instead of constructed shell strings, preserving existing behavior while reducing injection risk.

Details

Related Issues

Closes #24748

How to Validate

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker
    • - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ] - [ ]

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request improves the security posture of the release patch automation script by moving away from shell-constructed commands. By adopting argument-based execution, the script significantly reduces the risk of command injection. Additionally, the changes introduce input validation for commit SHAs and standardize the execution flow, ensuring a more robust and maintainable release process.

Highlights

• Security Hardening: Replaced unsafe shell-interpolated execSync calls with execFileSync using argument arrays to mitigate command injection risks.
• Input Validation: Implemented strict commit SHA validation (7-40 hex characters) to ensure only valid inputs are processed during cherry-pick operations.
• Refactored Command Execution: Introduced centralized runCommand and runGit helpers to standardize command execution, logging, and error handling across the release script.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[S3DFX-CYBER]

@gemini-code-assist review

[gemini-code-assist]

Code Review

This pull request refactors the release script to use execFileSync via new runCommand and runGit utilities, while adding a validateCommitSha helper to improve security. However, several critical issues were identified: a typo (dryRub) that bypasses dry-run safety checks, multiple instances where single quotes are used instead of backticks (preventing variable interpolation in log and error messages), a syntax error in the dry-run summary due to nested quotes, and a potential ReferenceError caused by deleting the run function while it is still called elsewhere in the script.

[gemini-code-assist]

Code Review

This pull request refactors the release script to use execFileSync through new helper functions like runCommand and runGit to improve security and argument handling. It also introduces commit SHA validation. Several critical bugs were identified, including a typo in the dry-run logic (dryRub) and numerous instances where single quotes are used instead of backticks, preventing variable interpolation in log messages and command arguments. Additionally, the removal of the run function may lead to reference errors in parts of the script not fully updated.

[S3DFX-CYBER]

@gemini-code-assist review

[gemini-code-assist]

Code Review

This pull request refactors the create-patch-pr.js script to improve command execution by replacing execSync with execFileSync and introducing structured helper functions like runCommand and runGit. These changes enhance argument handling, improve dry-run logging, and remove redundant comments. However, a critical syntax error was identified in the newly added validateCommitSha function, where a missing closing parenthesis and semicolon in the Error constructor will prevent the script from executing correctly.

[S3DFX-CYBER]

@jacob314 feel free to review