sarman/tftsr-devops_investigation
1
0
Fork 0
Code Issues 1 Pull Requests Actions 34 Packages Projects 3 Releases 11 Wiki Activity

fix(ci): harden CHANGELOG.md API push step per review
All checks were successful
Test / rust-fmt-check (pull_request) Successful in 26s
Details
Test / frontend-typecheck (pull_request) Successful in 1m37s
Details
Test / frontend-tests (pull_request) Successful in 1m25s
Details
PR Review Automation / review (pull_request) Successful in 3m54s
Details
Test / rust-clippy (pull_request) Successful in 4m25s
Details
Test / rust-tests (pull_request) Successful in 5m47s
Details

Browse Source 
- set -euo pipefail (was -eu; pipefail catches silent pipe failures)
- Validate TAG against ^v[0-9]+\.[0-9]+\.[0-9]+$ before use in commit
  message and JSON payload — prevents shell injection
- Tolerate 404 on SHA fetch (new file): curl 2>/dev/null or true keeps
  CURRENT_SHA empty rather than causing jq to abort
- Use jq -n to build JSON payload — conditionally omits sha field when
  file does not exist yet; eliminates manual string escaping
- Check HTTP status of PUT; print response body and exit 1 on non-2xx
- Add Accept: application/json header to SHA fetch request
This commit is contained in:
Shaun Arman 2026-04-12 22:13:25 -05:00
parent 2da529fb75
commit f74238a65a
1 changed files with 31 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
.gitea/workflows/auto-tag.yml
View File

@ -134,24 +134,43 @@ jobs:
env: env:
RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }} RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
run: | run: |
set -eu set -euo pipefail
API="http://172.0.0.29:3000/api/v1/repos/$GITHUB_REPOSITORY" API="http://172.0.0.29:3000/api/v1/repos/$GITHUB_REPOSITORY"
TAG=$(git describe --tags --abbrev=0) TAG=$(git describe --tags --abbrev=0)
# Get current file SHA from master (required by API if the file already exists) # Validate tag format to prevent shell injection in commit message / JSON
CURRENT_SHA=$(curl -sf "$API/contents/CHANGELOG.md?ref=master" \ if ! echo "$TAG" | grep -qE '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
-H "Authorization: token $RELEASE_TOKEN" | jq -r '.sha // empty') echo "ERROR: Unexpected tag format: $TAG"
# Base64-encode the generated file (no line wrapping) exit 1
fi
# Fetch current blob SHA from master; empty if file doesn't exist yet
CURRENT_SHA=$(curl -sf \
-H "Accept: application/json" \
-H "Authorization: token $RELEASE_TOKEN" \
"$API/contents/CHANGELOG.md?ref=master" 2>/dev/null \
| jq -r '.sha // empty' 2>/dev/null || true)
# Base64-encode content (no line wrapping)
CONTENT=$(base64 -w 0 CHANGELOG.md) CONTENT=$(base64 -w 0 CHANGELOG.md)
# Build JSON payload — omit "sha" when file doesn't exist yet (new repo)
PAYLOAD=$(jq -n \
--arg msg "chore: update CHANGELOG.md for ${TAG} [skip ci]" \
--arg body "$CONTENT" \
--arg sha "$CURRENT_SHA" \
'if $sha == ""
then {message: $msg, content: $body, branch: "master"}
else {message: $msg, content: $body, sha: $sha, branch: "master"}
end')
# PUT atomically updates (or creates) the file on master — no fast-forward needed # PUT atomically updates (or creates) the file on master — no fast-forward needed
curl -sf -X PUT "$API/contents/CHANGELOG.md" \ RESP_FILE=$(mktemp)
HTTP_CODE=$(curl -s -o "$RESP_FILE" -w "%{http_code}" -X PUT \
-H "Authorization: token $RELEASE_TOKEN" \ -H "Authorization: token $RELEASE_TOKEN" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d "{ -d "$PAYLOAD" \
\"message\": \"chore: update CHANGELOG.md for ${TAG} [skip ci]\", "$API/contents/CHANGELOG.md")
\"content\": \"$CONTENT\", if [ "$HTTP_CODE" -lt 200 ] || [ "$HTTP_CODE" -ge 300 ]; then
\"sha\": \"$CURRENT_SHA\", echo "ERROR: Failed to update CHANGELOG.md (HTTP $HTTP_CODE)"
\"branch\": \"master\" cat "$RESP_FILE" >&2
}" exit 1
fi
echo "✓ CHANGELOG.md committed to master" echo "✓ CHANGELOG.md committed to master"
- name: Upload CHANGELOG.md as release asset - name: Upload CHANGELOG.md as release asset