Skip to content

build: revert infinite loop changes #141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JamesGeorg merged 2 commits into from
Dec 13, 2025
Merged

build: revert infinite loop changes #141

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e17e133
build: revert infinite loop changes
JamesGeorg Dec 13, 2025
574dfac
Merge branch 'main' into npm-migration-5
JamesGeorg Dec 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 19 additions & 14 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,20 @@
name: Releases

on:
push:
pull_request_target:
branches:
- main
types:
- closed

jobs:
merged-pr:
if: github.event.pull_request.merged == true && !contains(github.event.pull_request.title, '[skip ci]')
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read

steps:

- name: Generate GitHub app token
id: generate_app_token
uses: actions/create-github-app-token@v1
Expand All @@ -23,11 +25,12 @@
- name: Checkout code
uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
token: ${{ steps.generate_app_token.outputs.token }}
fetch-depth: 0
fetch-depth: ${{ github.event.pull_request.commits }}

- name: Set up Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@v3
with:
node-version: 24
registry-url: "https://registry.npmjs.org"
Expand All @@ -40,14 +43,14 @@
run: |
shopt -s nocasematch

COMMITS="$(git log --format=%B ${{ github.event.before }}..${{ github.sha }})"
PR_TITLE='${{ github.event.pull_request.title }}'

Check failure

Code scanning / CodeQL

Code injection Critical

Potential code injection in
${ github.event.pull_request.title }
Loading
, which may be controlled by an external user (
pull_request_target
Loading
).

Copilot Autofix

AI 3 months ago

To prevent potential code injection vulnerabilities with user-controlled input, the recommended GitHub Actions pattern is to pass the value into an environment variable and reference that variable from the shell. This involves two changes:

  1. Add an entry under env: in the problematic run: step, assigning something like PR_TITLE: ${{ github.event.pull_request.title }}.
  2. In the run: block, remove the direct variable assignment (PR_TITLE='...'), and simply use $PR_TITLE as needed.

In this case, we:

  • Remove line 46 (PR_TITLE='${{ github.event.pull_request.title }}').
  • Add env: under the step, defining PR_TITLE: ${{ github.event.pull_request.title }}.
  • All subsequent references to $PR_TITLE in the run: block already use the correct syntax.

No new methods or imports are required.

Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -43,8 +43,6 @@
         run: |
           shopt -s nocasematch
 
-          PR_TITLE='${{ github.event.pull_request.title }}'
-
           if [[ "$PR_TITLE" =~ (\[breaking\]|\[major\]) ]]; then
             echo "release_type=major" >> $GITHUB_OUTPUT
           elif [[ "$PR_TITLE" =~ \[minor\] ]]; then
@@ -55,6 +53,8 @@
 
           shopt -u nocasematch
         shell: bash
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
 
       - name: Conventional Changelog Action
         id: changelog
EOF
@@ -43,8 +43,6 @@
run: |
shopt -s nocasematch

PR_TITLE='${{ github.event.pull_request.title }}'

if [[ "$PR_TITLE" =~ (\[breaking\]|\[major\]) ]]; then
echo "release_type=major" >> $GITHUB_OUTPUT
elif [[ "$PR_TITLE" =~ \[minor\] ]]; then
@@ -55,6 +53,8 @@

shopt -u nocasematch
shell: bash
env:
PR_TITLE: ${{ github.event.pull_request.title }}

- name: Conventional Changelog Action
id: changelog
Copilot is powered by AI and may make mistakes. Always verify output.

if echo "$COMMITS" | grep -Eq '(\[breaking\]|\[major\])'; then
echo "release_type=major" >> "$GITHUB_OUTPUT"
elif echo "$COMMITS" | grep -Eq '\[minor\]'; then
echo "release_type=minor" >> "$GITHUB_OUTPUT"
if [[ "$PR_TITLE" =~ (\[breaking\]|\[major\]) ]]; then
echo "release_type=major" >> $GITHUB_OUTPUT
elif [[ "$PR_TITLE" =~ \[minor\] ]]; then
echo "release_type=minor" >> $GITHUB_OUTPUT
else
echo "release_type=patch" >> "$GITHUB_OUTPUT"
echo "release_type=patch" >> $GITHUB_OUTPUT
fi

shopt -u nocasematch
Expand Down Expand Up @@ -78,12 +81,14 @@
id: standard-version
run: |
npx standard-version --release-as ${{ steps.determine-release.outputs.release_type }}
echo "tag_name=$(git describe --abbrev=0 --tags)" >>"$GITHUB_OUTPUT"
echo "tag_name=$(git describe --abbrev=0 --tags)" >>$GITHUB_OUTPUT

- name: Push tags and changelog
run: git push --follow-tags origin main
env:
GH_TOKEN: ${{ steps.generate_app_token.outputs.token }}

- name: Create GitHub release
- name: create release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ steps.generate_app_token.outputs.token }}
Expand All @@ -93,4 +98,4 @@
body: "${{ steps.changelog.outputs.clean_changelog }}"

- name: Publish package on NPM 📦
run: npm publish --access public
run: npm publish
Loading