Skip to content

Commit dc8846d

Browse files
adamtheturtleadamtheturtle
authored
Move release and tag version into env vars to prevent template injection (#2049)
* Move release and tag version into env vars to prevent template injection * Enable template-injection rule in zizmor config Made-with: Cursor * Fix template-injection in Check steps Made-with: Cursor * Fix remaining template-injection findings and check-manifest Made-with: Cursor
1 parent d13b5e4 commit dc8846d

2 files changed

Lines changed: 57 additions & 25 deletions

File tree

.github/workflows/release.yml

Lines changed: 57 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -54,8 +54,10 @@ jobs:
5454

5555
- name: Get the changelog underline
5656
id: changelog_underline
57+
env:
58+
RELEASE: ${{ steps.calver.outputs.release }}
5759
run: |
58-
underline="$(echo "${{ steps.calver.outputs.release }}" | tr -c '\n' '-')"
60+
underline="$(echo "$RELEASE" | tr -c '\n' '-')"
5961
echo "underline=${underline}" >> "$GITHUB_OUTPUT"
6062
6163
- name: Update changelog
@@ -73,15 +75,19 @@ jobs:
7375
regex: false
7476

7577
- name: Check Update changelog was modified
78+
env:
79+
MODIFIED_FILES: ${{ steps.update_changelog.outputs.modifiedFiles }}
7680
run: |
77-
if [ "${{ steps.update_changelog.outputs.modifiedFiles }}" = "0" ]; then
81+
if [ "$MODIFIED_FILES" = "0" ]; then
7882
echo "Error: No files were modified when updating changelog"
7983
exit 1
8084
fi
8185
8286
- name: Update VERSION file for Nix flake
87+
env:
88+
RELEASE: ${{ steps.calver.outputs.release }}
8389
run: |
84-
echo "${{ steps.calver.outputs.release }}" > VERSION
90+
echo "$RELEASE" > VERSION
8591
8692
- uses: stefanzweifel/git-auto-commit-action@v7
8793
id: commit
@@ -101,16 +107,20 @@ jobs:
101107
commit_sha: ${{ steps.commit.outputs.commit_hash }}
102108

103109
- name: Checkout the latest tag - the one we just created
110+
env:
111+
NEW_TAG: ${{ steps.tag_version.outputs.new_tag }}
104112
run: |
105113
git fetch --tags
106-
git checkout ${{ steps.tag_version.outputs.new_tag }}
114+
git checkout "$NEW_TAG"
107115
108116
- name: Build a binary wheel and a source tarball
109117
id: build-wheel
118+
env:
119+
NEW_TAG: ${{ steps.tag_version.outputs.new_tag }}
110120
run: |
111121
sudo rm -rf dist/ build/
112122
git fetch --tags
113-
git checkout ${{ steps.tag_version.outputs.new_tag }}
123+
git checkout "$NEW_TAG"
114124
uv build --sdist --wheel --out-dir dist/
115125
WHEEL="$(ls dist/*.whl)"
116126
uv run --extra=release check-wheel-contents "${WHEEL}"
@@ -129,10 +139,12 @@ jobs:
129139
# Here, we give PyPI time to propagate the package.
130140
- name: Install package from PyPI
131141
uses: nick-fields/retry@v3
142+
env:
143+
RELEASE: ${{ steps.calver.outputs.release }}
132144
with:
133145
timeout_seconds: 5
134146
max_attempts: 50
135-
command: uv pip install --refresh vws-cli==${{ steps.calver.outputs.release }}
147+
command: uv pip install --refresh vws-cli=="$RELEASE"
136148

137149
- name: Set up Homebrew filename
138150
id: set-homebrew-filename
@@ -143,11 +155,14 @@ jobs:
143155
- name: Create a Homebrew recipe
144156
id: homebrew-create
145157
uses: nick-fields/retry@v3
158+
env:
159+
RELEASE: ${{ steps.calver.outputs.release }}
160+
HOMEBREW_FILENAME: ${{ steps.set-homebrew-filename.outputs.filename }}
146161
with:
147162
timeout_seconds: 5
148163
max_attempts: 50
149164
command: |
150-
uv run --no-cache --with="vws-cli==${{ steps.calver.outputs.release }}" --extra=release poet --formula vws-cli > ${{ steps.set-homebrew-filename.outputs.filename }}
165+
uv run --no-cache --with="vws-cli==$RELEASE" --extra=release poet --formula vws-cli > "$HOMEBREW_FILENAME"
151166
152167
- name: Update Homebrew description
153168
id: update_homebrew_description
@@ -159,8 +174,10 @@ jobs:
159174
regex: false
160175

161176
- name: Check Update Homebrew description was modified
177+
env:
178+
MODIFIED_FILES: ${{ steps.update_homebrew_description.outputs.modifiedFiles }}
162179
run: |
163-
if [ "${{ steps.update_homebrew_description.outputs.modifiedFiles }}" = "0" ]; then
180+
if [ "$MODIFIED_FILES" = "0" ]; then
164181
echo "Error: No files were modified when updating Homebrew description"
165182
exit 1
166183
fi
@@ -219,15 +236,19 @@ jobs:
219236
# We normalize the version (e.g., 2026.01.22 -> 2026.1.22) for PyPI lookup.
220237
- name: Wait for PyPI propagation
221238
uses: nick-fields/retry@v3
239+
env:
240+
NEW_TAG: ${{ needs.build.outputs.new_tag }}
222241
with:
223242
timeout_seconds: 10
224243
max_attempts: 50
225244
command: |
226-
normalized_version=$(echo "${{ needs.build.outputs.new_tag }}" | sed -E 's/\.0+([0-9])/.\1/g')
245+
normalized_version=$(echo "$NEW_TAG" | sed -E 's/\.0+([0-9])/.\1/g')
227246
curl -sf "https://pypi.org/pypi/vws-cli/${normalized_version}/json" > /dev/null
228247
229248
- name: Create requirements file
230-
run: echo "vws-cli==${{ needs.build.outputs.new_tag }}" > requirements.txt
249+
env:
250+
NEW_TAG: ${{ needs.build.outputs.new_tag }}
251+
run: echo "vws-cli==$NEW_TAG" > requirements.txt
231252

232253
- name: Create Linux binary
233254
uses: sayyid5416/pyinstaller@v1
@@ -243,8 +264,9 @@ jobs:
243264
- name: Upload Linux binary to release
244265
env:
245266
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
267+
NEW_TAG: ${{ needs.build.outputs.new_tag }}
246268
run: |
247-
gh release upload ${{ needs.build.outputs.new_tag }} dist/${{ matrix.binary.name }} --clobber
269+
gh release upload "$NEW_TAG" dist/${{ matrix.binary.name }} --clobber
248270
249271
publish-docker:
250272
name: Publish Docker image
@@ -279,15 +301,17 @@ jobs:
279301
# check, so we retry.
280302
- name: Build and push Docker image
281303
uses: nick-fields/retry@v3
304+
env:
305+
NEW_TAG: ${{ needs.build.outputs.new_tag }}
282306
with:
283307
timeout_minutes: 10
284308
max_attempts: 5
285309
command: |-
286310
docker buildx build \
287311
--push \
288312
--platform linux/amd64,linux/arm64 \
289-
--build-arg VWS_CLI_VERSION=${{ needs.build.outputs.new_tag }} \
290-
--tag ghcr.io/vws-python/vws-cli:${{ needs.build.outputs.new_tag }} \
313+
--build-arg VWS_CLI_VERSION="$NEW_TAG" \
314+
--tag ghcr.io/vws-python/vws-cli:"$NEW_TAG" \
291315
--tag ghcr.io/vws-python/vws-cli:latest \
292316
.
293317
@@ -317,16 +341,20 @@ jobs:
317341
# We normalize the version (e.g., 2026.01.22 -> 2026.1.22) for PyPI lookup.
318342
- name: Wait for PyPI propagation
319343
uses: nick-fields/retry@v3
344+
env:
345+
NEW_TAG: ${{ needs.build.outputs.new_tag }}
320346
with:
321347
timeout_seconds: 10
322348
max_attempts: 50
323349
shell: bash
324350
command: |
325-
normalized_version=$(echo "${{ needs.build.outputs.new_tag }}" | sed -E 's/\.0+([0-9])/.\1/g')
351+
normalized_version=$(echo "$NEW_TAG" | sed -E 's/\.0+([0-9])/.\1/g')
326352
curl -sf "https://pypi.org/pypi/vws-cli/${normalized_version}/json" > /dev/null
327353
328354
- name: Create requirements file
329-
run: echo "vws-cli==${{ needs.build.outputs.new_tag }}" > requirements.txt
355+
env:
356+
NEW_TAG: ${{ needs.build.outputs.new_tag }}
357+
run: echo "vws-cli==$NEW_TAG" > requirements.txt
330358

331359
- name: Create Windows binary for Vuforia Cloud Reco
332360
uses: sayyid5416/pyinstaller@v1
@@ -364,10 +392,11 @@ jobs:
364392
- name: Upload Windows binaries to release
365393
env:
366394
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
395+
NEW_TAG: ${{ needs.build.outputs.new_tag }}
367396
run: |-
368-
gh release upload ${{ needs.build.outputs.new_tag }} dist/vws-windows.exe --clobber
369-
gh release upload ${{ needs.build.outputs.new_tag }} dist/vuforia-cloud-reco-windows.exe --clobber
370-
gh release upload ${{ needs.build.outputs.new_tag }} dist/vumark-windows.exe --clobber
397+
gh release upload "$NEW_TAG" dist/vws-windows.exe --clobber
398+
gh release upload "$NEW_TAG" dist/vuforia-cloud-reco-windows.exe --clobber
399+
gh release upload "$NEW_TAG" dist/vumark-windows.exe --clobber
371400
372401
build-macos:
373402
name: Build macOS binaries
@@ -390,15 +419,19 @@ jobs:
390419
# We normalize the version (e.g., 2026.01.22 -> 2026.1.22) for PyPI lookup.
391420
- name: Wait for PyPI propagation
392421
uses: nick-fields/retry@v3
422+
env:
423+
NEW_TAG: ${{ needs.build.outputs.new_tag }}
393424
with:
394425
timeout_seconds: 10
395426
max_attempts: 50
396427
command: |
397-
normalized_version=$(echo "${{ needs.build.outputs.new_tag }}" | sed -E 's/\.0+([0-9])/.\1/g')
428+
normalized_version=$(echo "$NEW_TAG" | sed -E 's/\.0+([0-9])/.\1/g')
398429
curl -sf "https://pypi.org/pypi/vws-cli/${normalized_version}/json" > /dev/null
399430
400431
- name: Create requirements file
401-
run: echo "vws-cli==${{ needs.build.outputs.new_tag }}" > requirements.txt
432+
env:
433+
NEW_TAG: ${{ needs.build.outputs.new_tag }}
434+
run: echo "vws-cli==$NEW_TAG" > requirements.txt
402435

403436
- name: Create macOS binary for Vuforia Cloud Reco
404437
uses: sayyid5416/pyinstaller@v1
@@ -436,10 +469,11 @@ jobs:
436469
- name: Upload macOS binaries to release
437470
env:
438471
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
472+
NEW_TAG: ${{ needs.build.outputs.new_tag }}
439473
run: |-
440-
gh release upload ${{ needs.build.outputs.new_tag }} dist/vws-macos --clobber
441-
gh release upload ${{ needs.build.outputs.new_tag }} dist/vuforia-cloud-reco-macos --clobber
442-
gh release upload ${{ needs.build.outputs.new_tag }} dist/vumark-macos --clobber
474+
gh release upload "$NEW_TAG" dist/vws-macos --clobber
475+
gh release upload "$NEW_TAG" dist/vuforia-cloud-reco-macos --clobber
476+
gh release upload "$NEW_TAG" dist/vumark-macos --clobber
443477
444478
publish-to-winget:
445479
name: Publish to WinGet

zizmor.yml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,6 @@ rules:
88
disable: true
99
dependabot-cooldown:
1010
disable: true
11-
template-injection:
12-
disable: true
1311
superfluous-actions:
1412
disable: true
1513
artipacked:

0 commit comments

Comments
 (0)