Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
name: Release Claude Plugin

on:
workflow_dispatch:
inputs:
bump:
description: "Version bump type"
type: choice
required: true
default: patch
options:
- patch
- minor
- major

permissions:
contents: write

jobs:
release:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ssh-key: ${{ secrets.RELEASE_SSH_KEY }}

- name: Bump plugin version
id: bump
env:
BUMP: ${{ inputs.bump }}
run: |
set -euo pipefail
PLUGIN_FILE=".claude-plugin/plugin.json"

OLD_VERSION=$(jq -r '.version' "$PLUGIN_FILE")
if [ -z "$OLD_VERSION" ] || [ "$OLD_VERSION" = "null" ]; then
echo "Could not read version from $PLUGIN_FILE" >&2
exit 1
fi

IFS='.' read -r MAJOR MINOR PATCH <<< "$OLD_VERSION"

case "$BUMP" in
major) MAJOR=$((MAJOR + 1)); MINOR=0; PATCH=0 ;;
minor) MINOR=$((MINOR + 1)); PATCH=0 ;;
patch) PATCH=$((PATCH + 1)) ;;
esac

NEW_VERSION="${MAJOR}.${MINOR}.${PATCH}"

tmp=$(mktemp)
jq --arg v "$NEW_VERSION" '.version = $v' "$PLUGIN_FILE" > "$tmp"
mv "$tmp" "$PLUGIN_FILE"

echo "old_version=$OLD_VERSION" >> "$GITHUB_OUTPUT"
echo "new_version=$NEW_VERSION" >> "$GITHUB_OUTPUT"
echo "Bumped $OLD_VERSION -> $NEW_VERSION"

Comment on lines +32 to +59

@github-actions github-actions Bot Jul 5, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opengrepsecurity.gha.run-shell-injection-inputs (WARNING)

A composite-action / reusable-workflow / workflow_dispatch inputs.* value is interpolated directly into this run/script block. Inputs are supplied by the caller, who may pass attacker-controlled data into them — e.g. a caller invoking this with version: ${{ github.event.pull_request.head.ref }} (a fork branch name). Because the input value is substituted before the shell runs, the callee cannot trust it. Defensive fix: copy the input into a step-level env: entry (e.g. VERSION: ${{ inputs.version }}) and reference the quoted environment variable in the script instead (echo "$VERSION"). This is advisory (WARNING): not every input carries untrusted data, but routing inputs through env: makes the component safe regardless of how callers use it. If an input appears only as a condition selecting between hard-coded string literals (e.g. ${{ inputs.flag && 'a' || 'b' }}), the emitted value is constant and that specific use is not exploitable — but hoist the condition into bash (set a boolean env: var and branch with if) so the run line carries no ${{ }} and the safety stays local and stable. Directly-untrusted github.* contexts are covered separately by security.gha.run-shell-injection.

Fixed in 502b127

- name: Commit and tag
env:
NEW_VERSION: ${{ steps.bump.outputs.new_version }}
OLD_VERSION: ${{ steps.bump.outputs.old_version }}
run: |
set -euo pipefail
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"

git add .claude-plugin/plugin.json
git commit -m "Bump version from ${OLD_VERSION} to ${NEW_VERSION}"
git tag "v${NEW_VERSION}"

git push origin HEAD:main
git push origin "v${NEW_VERSION}"
Loading