Skip to content

fix: Node release custom package path#79

Merged
mamari90 merged 5 commits intomainfrom
node-release-custom-package
Dec 11, 2025
Merged

fix: Node release custom package path#79
mamari90 merged 5 commits intomainfrom
node-release-custom-package

Conversation

@mamari90
Copy link
Copy Markdown
Contributor

@mamari90 mamari90 commented Dec 11, 2025
edited
Loading

List of Changes

Motivation and Context

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.

@mamari90 mamari90 requested a review from a team as a code owner December 11, 2025 11:44
github-advanced-security[bot]
github-advanced-security AI found potential problems Dec 11, 2025
View reviewed changes
Comment thread node-release/action.yml Fixed
Comment thread node-release/action.yml Fixed
Comment thread node-release/action.yml Fixed
Comment thread node-release/action.yml Fixed
Comment thread node-release/action.yml Fixed
mamari90 and others added 2 commits December 11, 2025 14:32
@mamari90 @github-advanced-security
Potential fix for code scanning alert no. 135: Code injection
01dcbbc 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@mamari90
Potential fix for code scanning alert no. 135: Code injection
663ab60
github-advanced-security[bot]
github-advanced-security AI found potential problems Dec 11, 2025
View reviewed changes
Comment thread node-release/action.yml
contents="$(jq '.version = "${{ steps.semver.outputs.new_version }}"' package.json)"
echo -E "${contents}" > package.json
contents="$(jq '.version = "${{ steps.semver.outputs.new_version }}"' ${PACKAGE_PATH}package.json)"
echo -E "${contents}" > ${PACKAGE_PATH}package.json

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${ steps.semver.outputs.new_version }
Loading
, which may be controlled by an external user.

Copilot Autofix

AI 4 months ago

The best way to fix this problem is to avoid directly interpolating untrusted values (such as ${{ steps.semver.outputs.new_version }}) into shell scripts or commands, especially when using double quotes or here-documents. Instead, assign expressions like ${{ steps.semver.outputs.new_version }} to an environment variable using the env: block, and then reference that variable within your shell script using the shell's native syntax (e.g., $NEW_VERSION). This prevents shell interpretation of potentially malicious input and adheres to GitHub's safe usage guidelines.
Specifically, in file node-release/action.yml, edit the block for "Push New Version".

  • In the step starting at line 107, update the env: block to include NEW_VERSION: ${{ steps.semver.outputs.new_version }}.
  • Then, update line 113 to reference $NEW_VERSION within single quotes in the jq command: jq '.version = "'$NEW_VERSION'"' ....
Suggested changeset 1
node-release/action.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/node-release/action.yml b/node-release/action.yml
--- a/node-release/action.yml
+++ b/node-release/action.yml
@@ -109,17 +109,18 @@
       shell: bash
       env:
         PACKAGE_PATH: ${{ inputs.package_path }}
+        NEW_VERSION: ${{ steps.semver.outputs.new_version }}
       run: |
-        contents="$(jq '.version = "${{ steps.semver.outputs.new_version }}"' ${PACKAGE_PATH}package.json)"
+        contents="$(jq '.version = "'$NEW_VERSION'"' ${PACKAGE_PATH}package.json)"
         echo -E "${contents}" > ${PACKAGE_PATH}package.json
   
         git add .
         git config --global user.email "github-bot@pagopa.it"
         git config --global user.name "pagopa-github-bot"
         if [ "${{ inputs.skip_ci }}" = "true" ]; then
-            git commit -m "Bump to version ${{ steps.semver.outputs.new_version }} [skip ci]" || exit 0
+            git commit -m "Bump to version $NEW_VERSION [skip ci]" || exit 0
           else
-            git commit -m "Bump to version ${{ steps.semver.outputs.new_version }}" || exit 0
+            git commit -m "Bump to version $NEW_VERSION" || exit 0
         fi
         git push origin ${{ github.ref_name}}
 
EOF
@@ -109,17 +109,18 @@
shell: bash
env:
PACKAGE_PATH: ${{ inputs.package_path }}
NEW_VERSION: ${{ steps.semver.outputs.new_version }}
run: |
contents="$(jq '.version = "${{ steps.semver.outputs.new_version }}"' ${PACKAGE_PATH}package.json)"
contents="$(jq '.version = "'$NEW_VERSION'"' ${PACKAGE_PATH}package.json)"
echo -E "${contents}" > ${PACKAGE_PATH}package.json

git add .
git config --global user.email "github-bot@pagopa.it"
git config --global user.name "pagopa-github-bot"
if [ "${{ inputs.skip_ci }}" = "true" ]; then
git commit -m "Bump to version ${{ steps.semver.outputs.new_version }} [skip ci]" || exit 0
git commit -m "Bump to version $NEW_VERSION [skip ci]" || exit 0
else
git commit -m "Bump to version ${{ steps.semver.outputs.new_version }}" || exit 0
git commit -m "Bump to version $NEW_VERSION" || exit 0
fi
git push origin ${{ github.ref_name}}

Copilot is powered by AI and may make mistakes. Always verify output.
@mamari90 mamari90 merged commit 27e1f41 into main Dec 11, 2025
5 checks passed
@mamari90 mamari90 deleted the node-release-custom-package branch December 11, 2025 14:15
@github-actions
Copy link
Copy Markdown

github-actions bot commented Dec 11, 2025

🎉 This PR is included in version 2.3.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mamari90 mamari90

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mamari90 @github-advanced-security