fix(ci): use feat: prefix in release PR title for semantic-release#385
Conversation
Squash merges use the PR title as the commit message. semantic-release needs a feat:/fix: prefix to trigger a version bump. Also added note to use rebase merge to preserve individual commits.
📝 WalkthroughWalkthroughUpdated the release PR creation workflow to use semantic-commit title format ( ChangesRelease PR metadata update
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related PRs
Suggested labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/create-release-pr.yml:
- Around line 44-48: Replace interpolating ${{ steps.commits.outputs.log }}
directly into the double-quoted --body argument (which allows shell/template
injection) by writing the output safely to a file and passing that file to the
GitHub CLI via --body-file; specifically, capture steps.commits.outputs.log into
a temp file using a safe write (e.g. printf '%s' "${{ steps.commits.outputs.log
}}" > pr_body.txt) and then call gh pr create ... --body-file pr_body.txt
(instead of --body "...${{ steps.commits.outputs.log }}...") so special
characters in the commit log are not interpreted by the shell or CLI.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 67bfc8ab-5afc-4173-a9df-84b9ecfe32ef
📒 Files selected for processing (1)
.github/workflows/create-release-pr.yml
| --body "## Commits being promoted | ||
|
|
||
| ${{ steps.commits.outputs.log }}" | ||
| ${{ steps.commits.outputs.log }} | ||
|
|
||
| > **Merge with rebase** to preserve individual commit messages for semantic-release." |
There was a problem hiding this comment.
Avoid shell/template injection when building PR body (Line 46).
steps.commits.outputs.log is injected into a double-quoted shell argument. If a commit message contains shell metacharacters (for example $(...) or quotes), it can be executed/interpreted in this step.
🔒 Safer pattern using --body-file
- name: Create PR
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
+ COMMITS_LOG: ${{ steps.commits.outputs.log }}
run: |
+ {
+ printf '## Commits being promoted\n\n'
+ printf '%s\n\n' "$COMMITS_LOG"
+ printf '> **Merge with rebase** to preserve individual commit messages for semantic-release.\n'
+ } > pr_body.md
+
gh pr create \
--base release \
--head main \
--title "feat(release): promote main to stable" \
- --body "## Commits being promoted
-
- ${{ steps.commits.outputs.log }}
-
- > **Merge with rebase** to preserve individual commit messages for semantic-release."
+ --body-file pr_body.md🧰 Tools
🪛 zizmor (1.25.2)
[info] 46-46: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/create-release-pr.yml around lines 44 - 48, Replace
interpolating ${{ steps.commits.outputs.log }} directly into the double-quoted
--body argument (which allows shell/template injection) by writing the output
safely to a file and passing that file to the GitHub CLI via --body-file;
specifically, capture steps.commits.outputs.log into a temp file using a safe
write (e.g. printf '%s' "${{ steps.commits.outputs.log }}" > pr_body.txt) and
then call gh pr create ... --body-file pr_body.txt (instead of --body "...${{
steps.commits.outputs.log }}...") so special characters in the commit log are
not interpreted by the shell or CLI.
✅ Deploy Preview for devsydev canceled.
|
Summary
release:tofeat(release):so squash merges trigger semantic-releaseSummary by CodeRabbit