fix(ci): use feat: prefix in release PR title for semantic-release#385
Merged
Conversation
Squash merges use the PR title as the commit message. semantic-release needs a feat:/fix: prefix to trigger a version bump. Also added note to use rebase merge to preserve individual commits.
📝 WalkthroughWalkthroughUpdated the release PR creation workflow to use semantic-commit title format ( ChangesRelease PR metadata update
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related PRs
Suggested labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/create-release-pr.yml:
- Around line 44-48: Replace interpolating ${{ steps.commits.outputs.log }}
directly into the double-quoted --body argument (which allows shell/template
injection) by writing the output safely to a file and passing that file to the
GitHub CLI via --body-file; specifically, capture steps.commits.outputs.log into
a temp file using a safe write (e.g. printf '%s' "${{ steps.commits.outputs.log
}}" > pr_body.txt) and then call gh pr create ... --body-file pr_body.txt
(instead of --body "...${{ steps.commits.outputs.log }}...") so special
characters in the commit log are not interpreted by the shell or CLI.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 67bfc8ab-5afc-4173-a9df-84b9ecfe32ef
📒 Files selected for processing (1)
.github/workflows/create-release-pr.yml
Comment on lines
44
to
+48
| --body "## Commits being promoted | ||
|
|
||
| ${{ steps.commits.outputs.log }}" | ||
| ${{ steps.commits.outputs.log }} | ||
|
|
||
| > **Merge with rebase** to preserve individual commit messages for semantic-release." |
There was a problem hiding this comment.
Avoid shell/template injection when building PR body (Line 46).
steps.commits.outputs.log is injected into a double-quoted shell argument. If a commit message contains shell metacharacters (for example $(...) or quotes), it can be executed/interpreted in this step.
🔒 Safer pattern using --body-file
- name: Create PR
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
+ COMMITS_LOG: ${{ steps.commits.outputs.log }}
run: |
+ {
+ printf '## Commits being promoted\n\n'
+ printf '%s\n\n' "$COMMITS_LOG"
+ printf '> **Merge with rebase** to preserve individual commit messages for semantic-release.\n'
+ } > pr_body.md
+
gh pr create \
--base release \
--head main \
--title "feat(release): promote main to stable" \
- --body "## Commits being promoted
-
- ${{ steps.commits.outputs.log }}
-
- > **Merge with rebase** to preserve individual commit messages for semantic-release."
+ --body-file pr_body.md🧰 Tools
🪛 zizmor (1.25.2)
[info] 46-46: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/create-release-pr.yml around lines 44 - 48, Replace
interpolating ${{ steps.commits.outputs.log }} directly into the double-quoted
--body argument (which allows shell/template injection) by writing the output
safely to a file and passing that file to the GitHub CLI via --body-file;
specifically, capture steps.commits.outputs.log into a temp file using a safe
write (e.g. printf '%s' "${{ steps.commits.outputs.log }}" > pr_body.txt) and
then call gh pr create ... --body-file pr_body.txt (instead of --body "...${{
steps.commits.outputs.log }}...") so special characters in the commit log are
not interpreted by the shell or CLI.
✅ Deploy Preview for devsydev canceled.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
release:tofeat(release):so squash merges trigger semantic-releaseSummary by CodeRabbit