From 2b50b5ed8114dd407f7f5e83c5f728d52cb228f7 Mon Sep 17 00:00:00 2001 From: Nelson Osacky Date: Wed, 29 Apr 2026 08:51:43 +0200 Subject: [PATCH 1/3] fix(workflows): Drop injectable args, let sentry-cli auto-detect VCS Alternate fix to #607. The sentry_dogfood workflow was passing head-sha, base-sha, vcs-provider, head/base-repo-name, head/base-ref, and pr-number explicitly via ${{ github.* }} interpolations, which created a script injection vector. Rather than moving those values into env: blocks, drop them entirely: sentry-cli's collect_git_metadata auto-detects every one of these from GitHub Actions env vars and GITHUB_EVENT_PATH when is_ci() is true. The auth token is also picked up from SENTRY_AUTH_TOKEN, so no flag is needed for it either. Removes the entire pull_request/push branching and every untrusted interpolation from run: blocks, eliminating the injection vector by construction. Linear: https://linear.app/getsentry/issue/VULN-1590 --- .github/workflows/sentry_dogfood.yml | 80 +++++----------------------- 1 file changed, 14 insertions(+), 66 deletions(-) diff --git a/.github/workflows/sentry_dogfood.yml b/.github/workflows/sentry_dogfood.yml index 3fd837e8..0136c867 100644 --- a/.github/workflows/sentry_dogfood.yml +++ b/.github/workflows/sentry_dogfood.yml @@ -33,73 +33,21 @@ jobs: mv "$EXTRACTED_PATH" ./HackerNews.xcarchive - name: Upload iOS app to Sentry + env: + SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_SENTRY_AUTH_TOKEN }} run: | - if [ "${{ github.event_name }}" == "pull_request" ]; then - sentry-cli \ - --log-level=debug \ - --auth-token ${{ secrets.SENTRY_SENTRY_AUTH_TOKEN }} \ - build \ - upload \ - ./HackerNews.xcarchive \ - --org sentry \ - --project launchpad-test-ios \ - --head-sha ${{ github.event.pull_request.head.sha }} \ - --base-sha ${{ github.event.pull_request.base.sha }} \ - --vcs-provider github \ - --head-repo-name ${{ github.repository }} \ - --base-repo-name ${{ github.repository }} \ - --head-ref ${{ github.head_ref }} \ - --base-ref ${{ github.base_ref }} \ - --pr-number ${{ github.event.number }} \ - --build-configuration Release - else - sentry-cli \ - --log-level=debug \ - --auth-token ${{ secrets.SENTRY_SENTRY_AUTH_TOKEN }} \ - build \ - upload \ - ./HackerNews.xcarchive \ - --org sentry \ - --project launchpad-test-ios \ - --head-sha ${{ github.sha }} \ - --vcs-provider github \ - --head-repo-name ${{ github.repository }} \ - --head-ref ${{ github.ref_name }} \ - --build-configuration Release - fi + sentry-cli --log-level=debug build upload \ + ./HackerNews.xcarchive \ + --org sentry \ + --project launchpad-test-ios \ + --build-configuration Release - name: Upload Android app to Sentry + env: + SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_SENTRY_AUTH_TOKEN }} run: | - if [ "${{ github.event_name }}" == "pull_request" ]; then - sentry-cli \ - --log-level=debug \ - --auth-token ${{ secrets.SENTRY_SENTRY_AUTH_TOKEN }} \ - build \ - upload \ - ./tests/_fixtures/android/hn.aab \ - --org sentry \ - --project launchpad-test-android \ - --head-sha ${{ github.event.pull_request.head.sha }} \ - --base-sha ${{ github.event.pull_request.base.sha }} \ - --vcs-provider github \ - --head-repo-name ${{ github.repository }} \ - --base-repo-name ${{ github.repository }} \ - --head-ref ${{ github.head_ref }} \ - --base-ref ${{ github.base_ref }} \ - --pr-number ${{ github.event.number }} \ - --build-configuration Release - else - sentry-cli \ - --log-level=debug \ - --auth-token ${{ secrets.SENTRY_SENTRY_AUTH_TOKEN }} \ - build \ - upload \ - ./tests/_fixtures/android/hn.aab \ - --org sentry \ - --project launchpad-test-android \ - --head-sha ${{ github.sha }} \ - --vcs-provider github \ - --head-repo-name ${{ github.repository }} \ - --head-ref ${{ github.ref_name }} \ - --build-configuration Release - fi + sentry-cli --log-level=debug build upload \ + ./tests/_fixtures/android/hn.aab \ + --org sentry \ + --project launchpad-test-android \ + --build-configuration Release From 4c3fd36f951bf76ab029e431ea24b2c61151af82 Mon Sep 17 00:00:00 2001 From: Nelson Osacky Date: Wed, 29 Apr 2026 08:54:20 +0200 Subject: [PATCH 2/3] chore(workflows): Bump sentry-cli to 3.4.1 --- .github/workflows/sentry_dogfood.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sentry_dogfood.yml b/.github/workflows/sentry_dogfood.yml index 0136c867..1f60ac7a 100644 --- a/.github/workflows/sentry_dogfood.yml +++ b/.github/workflows/sentry_dogfood.yml @@ -22,7 +22,7 @@ jobs: - name: Install Sentry CLI run: | - curl -L -o sentry-cli https://github.com/getsentry/sentry-cli/releases/download/2.53.0-alpha/sentry-cli-Darwin-universal + curl -L -o sentry-cli https://github.com/getsentry/sentry-cli/releases/download/3.4.1/sentry-cli-Darwin-universal chmod +x sentry-cli sudo mv sentry-cli /usr/local/bin/ From 47299b74ee07a192d43198c6479c6c5c28f81564 Mon Sep 17 00:00:00 2001 From: Nelson Osacky Date: Wed, 29 Apr 2026 08:54:47 +0200 Subject: [PATCH 3/3] chore(workflows): Use sentry-cli installer script --- .github/workflows/sentry_dogfood.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/sentry_dogfood.yml b/.github/workflows/sentry_dogfood.yml index 1f60ac7a..7fd0d842 100644 --- a/.github/workflows/sentry_dogfood.yml +++ b/.github/workflows/sentry_dogfood.yml @@ -21,10 +21,7 @@ jobs: fetch-depth: 0 - name: Install Sentry CLI - run: | - curl -L -o sentry-cli https://github.com/getsentry/sentry-cli/releases/download/3.4.1/sentry-cli-Darwin-universal - chmod +x sentry-cli - sudo mv sentry-cli /usr/local/bin/ + run: curl -sL https://sentry.io/get-cli/ | SENTRY_CLI_VERSION="3.4.1" sh - name: Unzip iOS app run: |