Files
ccs/.github/workflows/label-pending-release.yml
T
kaitranntt 5a8db2c1ee fix(ci): prevent shell injection from PR body markdown
Pass PR title and body via env vars instead of direct interpolation.
Prevents backticks in markdown code blocks from being executed as shell commands.
2025-12-13 23:31:52 -05:00

44 lines
1.4 KiB
YAML

name: Label Pending Release
on:
pull_request:
types: [opened, reopened]
branches: [dev]
jobs:
label:
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- name: Label linked issues as pending-release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_TITLE: ${{ github.event.pull_request.title }}
PR_BODY: ${{ github.event.pull_request.body }}
run: |
# Extract issue numbers from PR title and body (passed via env vars for safety)
# Using env vars prevents shell injection from backticks in markdown
PR_TEXT="$PR_TITLE $PR_BODY"
ISSUES=$(echo "$PR_TEXT" | grep -oE "(Fixes|Closes|Resolves|Refs?) #[0-9]+" | grep -oE "#[0-9]+" | sort -u || true)
if [[ -z "$ISSUES" ]]; then
echo "No linked issues found in PR"
exit 0
fi
for ISSUE in $ISSUES; do
NUM=${ISSUE#\#}
echo "Labeling issue #$NUM as pending-release"
# Create label if doesn't exist
gh label create "pending-release" \
--color "fbca04" \
--description "Fix in review, awaiting merge" \
--repo ${{ github.repository }} 2>/dev/null || true
# Add label to issue
gh issue edit $NUM --add-label "pending-release" --repo ${{ github.repository }} || true
done