Skip to content

fix: pass commit message via env var to prevent shell injection#16

Merged
HumbleBee14 merged 2 commits intomainfrom
fix/workflow-commit-msg-interpolation
Apr 19, 2026
Merged

fix: pass commit message via env var to prevent shell injection#16
HumbleBee14 merged 2 commits intomainfrom
fix/workflow-commit-msg-interpolation

Conversation

@HumbleBee14
Copy link
Copy Markdown
Owner

@HumbleBee14 HumbleBee14 commented Apr 19, 2026

The Bump version step was substituting github.event.head_commit.message directly into bash via ${{ }}. When a squash-merge commit body contained lines like 'RELEASE_PAT' or 'fix:', bash tried to execute them.

Summary

  • Pass commit message via env (COMMIT_MSG) to bypass shell interpolation
  • Use only first line for type detection

Type of change

  • fix Bug fix

Testing

  • Next merge should succeed

@HumbleBee14
fix: pass commit message via env var to prevent shell injection
9f48eb9 
Direct ${{ github.event.head_commit.message }} substitution in a run
block can break bash when the message contains colons, hash signs, or
command-like lines (e.g. 'RELEASE_PAT' from a squash-merge body).
Pass it via env and also take only the subject line for type detection.
@HumbleBee14
test: add dry-run release and build checks to PR validation
8de2d1c 
Simulates the version-bump step on every PR using the PR title as the
commit message, catching shell injection and version parsing bugs before
merge. Also adds a debug build to catch compile breaks early.
@HumbleBee14 HumbleBee14 merged commit 25d93ee into main Apr 19, 2026
3 checks passed
@HumbleBee14 HumbleBee14 deleted the fix/workflow-commit-msg-interpolation branch April 19, 2026 19:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HumbleBee14