Skip to content

Commit a99ff44

Browse files
authored
Merge pull request #249 from sendbird/fix/internal-security
chore: improve version handling in publish-package.yml for security
2 parents a614f97 + c3f8d1b commit a99ff44

File tree

1 file changed

+9
-4
lines changed

1 file changed

+9
-4
lines changed

.github/workflows/publish-package.yml

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,11 @@ jobs:
1818
- uses: actions/setup-node@v4
1919
- name: 'validation'
2020
uses: actions/github-script@v7
21+
env:
22+
VERSION: ${{ github.event.inputs.version }}
2123
with:
2224
script: |
25+
const version = process.env.VERSION;
2326
const permission = await github.rest.repos.getCollaboratorPermissionLevel({
2427
owner: context.repo.owner,
2528
repo: context.repo.repo,
@@ -29,8 +32,8 @@ jobs:
2932
core.setFailed(`User ${context.actor} does not have write or admin permissions to this repository.`);
3033
}
3134
const currentBranch = context.ref.replace('refs/heads/', '');
32-
if (currentBranch !== `release/${{ github.event.inputs.version }}`) {
33-
core.setFailed(`Current branch ${currentBranch} does not match release/${{ github.event.inputs.version }}`);
35+
if (currentBranch !== `release/${version}`) {
36+
core.setFailed(`Current branch ${currentBranch} does not match release/${version}`);
3437
}
3538
const pullRequests = await github.rest.pulls.list({
3639
owner: context.repo.owner,
@@ -53,11 +56,13 @@ jobs:
5356
- name: 'publish to npm'
5457
env:
5558
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
59+
VERSION: ${{ github.event.inputs.version }}
5660
run: |
57-
yarn lerna version ${{ github.event.inputs.version }} --yes
61+
yarn lerna version "$VERSION" --yes
5862
yarn lerna publish from-git --yes
5963
- name: 'approve a pull request'
6064
env:
6165
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
66+
PR_NUMBER: ${{ env.PR_NUMBER }}
6267
run: |
63-
gh pr review ${{ env.PR_NUMBER }} --approve --body "approved by automation"
68+
gh pr review "$PR_NUMBER" --approve --body "approved by automation"

0 commit comments

Comments
 (0)