Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 2 additions & 7 deletions .github/actions/create-prerelease/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,7 @@ inputs:
package-path:
description: 'package path to run action e.g. package/common'
required: true
npm-token:
description: 'token to push to npm registry'
required: true


Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Script executed:

#!/bin/bash
# Find workflows calling create-prerelease or create-release actions
echo "=== Searching for workflows calling create-prerelease or create-release ==="
fd -t f '\.(yml|yaml)$' '.github/workflows' | while read workflow; do
  if grep -l 'create-prerelease\|create-release' "$workflow" 2>/dev/null; then
    echo "Found workflow: $workflow"
  fi
done

echo ""
echo "=== Full content of workflows calling these actions ==="
fd -t f '\.(yml|yaml)$' '.github/workflows' -x grep -l 'create-prerelease\|create-release' {} \; | while read workflow; do
  echo "--- File: $workflow ---"
  cat -n "$workflow"
  echo ""
done

Repository: subquery/subql-solana


<shell_result>
Repository: subquery/subql-solana
Exit code: 0

stdout:

=== Searching for workflows calling create-prerelease or create-release ===
.github/workflows/gh-release.yml
Found workflow: .github/workflows/gh-release.yml
.github/workflows/publish.yml
Found workflow: .github/workflows/publish.yml

=== Full content of workflows calling these actions ===
--- File: .github/workflows/gh-release.yml ---
     1	name: "Github Release"
     2	on:
     3	  workflow_dispatch:
     4	
     5	jobs:
     6	  github-release:
     7	    name: github-release
     8	    runs-on: ubuntu-latest
     9	    steps:
    10	      #Check out
    11	      - uses: actions/checkout@v5
    12	        with:
    13	          fetch-depth: 100
    14	
    15	      - name: Setup Node.js environment
    16	        uses: actions/setup-node@v5
    17	        with:
    18	          node-version: lts/*
    19	
    20	      - run: yarn install
    21	
    22	      #Create github releases
    23	      - uses: ./.github/actions/create-release
    24	        with:
    25	          package-path: packages/common-solana
    26	          repo-token: ${{ secrets.REPO_TOKEN }}
    27	
    28	      - uses: ./.github/actions/create-release
    29	        with:
    30	          package-path: packages/node
    31	          repo-token: ${{ secrets.REPO_TOKEN }}
    32	
    33	      - uses: ./.github/actions/create-release
    34	        with:
    35	          package-path: packages/types
    36	          repo-token: ${{ secrets.REPO_TOKEN }}

--- File: .github/workflows/publish.yml ---
     1	name: "Publish"
     2	on:
     3	  push:
     4	    branches:
     5	      - main
     6	    paths-ignore:
     7	      - ".github/workflows/**"
     8	
     9	permissions:
    10	  id-token: write  # Required for OIDC
    11	  contents: read
    12	
    13	concurrency:
    14	  group: publish
    15	  cancel-in-progress: false
    16	
    17	jobs:
    18	
    19	  pre-ci:
    20	    name: Pre-CI (Extract Commit Message)
    21	    runs-on: ubuntu-latest
    22	    timeout-minutes: 1
    23	    outputs:
    24	      commit-message: ${{ steps.get_commit_message.outputs.commit-message }}
    25	    steps:
    26	      - uses: actions/checkout@v5
    27	        with:
    28	          fetch-depth: 0
    29	
    30	      - id: get_commit_message
    31	        run: |
    32	          COMMIT_MSG_TEMP="${{ github.event.head_commit.message }}"
    33	          if [ -n "$COMMIT_MSG_TEMP" ]
    34	          then
    35	            commit_msg="$COMMIT_MSG_TEMP"
    36	            echo "commit-message=${commit_msg}" | head -n 1 >> "$GITHUB_OUTPUT"
    37	          else
    38	            commit_message=$(git log -1 --pretty=%B | head -n 1)
    39	            echo "commit-message=$commit_message" >> "$GITHUB_OUTPUT"
    40	          fi
    41	
    42	      - name: Debug commit message
    43	        run: |
    44	          echo "Commit message: ${{ steps.get_commit_message.outputs.commit-message }}"
    45	
    46	  setup:
    47	    name: Setup & Detect Changes
    48	    needs: pre-ci
    49	    runs-on: ubuntu-latest
    50	    outputs:
    51	      changed-types: ${{ steps.changed-types.outputs.changed }}
    52	      changed-common-solana: ${{ steps.changed-common-solana.outputs.changed }}
    53	      changed-node: ${{ steps.changed-node.outputs.changed }}
    54	    steps:
    55	      - uses: actions/checkout@v5
    56	        with:
    57	          fetch-depth: 100 # Needed to detect changes by having commit history
    58	
    59	      - uses: marceloprado/has-changed-path@v1
    60	        id: changed-types
    61	        with:
    62	          paths: packages/types
    63	
    64	      - uses: marceloprado/has-changed-path@v1
    65	        id: changed-common-solana
    66	        with:
    67	          paths: packages/common-solana
    68	
    69	      - uses: marceloprado/has-changed-path@v1
    70	        id: changed-node
    71	        with:
    72	          paths: packages/node
    73	
    74	  release:
    75	    name: Release Publish
    76	    needs: [pre-ci, setup]
    77	    if: >
    78	      !startsWith(github.event.head_commit.message, '[SKIP CI]')
    79	      && startsWith(github.event.head_commit.message, '[release]')
    80	      && github.repository == 'subquery/subql-solana'
    81	    runs-on: ubuntu-latest
    82	    steps:
    83	      - uses: actions/checkout@v5
    84	        with:
    85	          fetch-depth: 0
    86	
    87	      - name: Setup Node.js environment
    88	        uses: actions/setup-node@v5
    89	        with:
    90	          node-version: lts/*
    91	
    92	      - name: Update npm
    93	        run: npm install -g npm@latest
    94	
    95	      - run: yarn
    96	
    97	      - name: build
    98	        run: yarn build
    99	
   100	      # Publish to npm and github releases
   101	      - name: Publish Types
   102	        if: needs.setup.outputs.changed-types == 'true'
   103	        uses: ./.github/actions/create-release
   104	        with:
   105	          package-path: packages/types
   106	          repo-token: ${{ secrets.REPO_TOKEN }}
   107	
   108	      - name: Publish Common Solana
   109	        if: needs.setup.outputs.changed-common-solana == 'true'
   110	        uses: ./.github/actions/create-release
   111	        with:
   112	          package-path: packages/common-solana
   113	          repo-token: ${{ secrets.REPO_TOKEN }}
   114	
   115	      - name: Publish Node
   116	        if: needs.setup.outputs.changed-node == 'true'
   117	        uses: ./.github/actions/create-release
   118	        with:
   119	          package-path: packages/node
   120	          repo-token: ${{ secrets.REPO_TOKEN }}
   121	
   122	  prerelease:
   123	    name: Prerelease Publish
   124	    needs: [pre-ci, setup]
   125	    if: >
   126	      !startsWith(needs.pre-ci.outputs.commit-message, '[SKIP CI]')
   127	      && !startsWith(needs.pre-ci.outputs.commit-message, '[release]')
   128	      && github.repository == 'subquery/subql-solana'
   129	    runs-on: ubuntu-latest
   130	    steps:
   131	      - uses: actions/checkout@v5
   132	        with:
   133	          fetch-depth: 0
   134	          token: ${{ secrets.REPO_TOKEN }} # Needed to push changes back to repo
   135	
   136	      - name: Setup Node.js environment
   137	        uses: actions/setup-node@v5
   138	        with:
   139	          node-version: lts/*
   140	
   141	      - name: Update npm
   142	        run: npm install -g npm@latest
   143	
   144	      - run: yarn
   145	
   146	      - name: build
   147	        run: yarn build
   148	
   149	      # Prerelease publish steps
   150	      - name: Bump types & deploy
   151	        if: needs.setup.outputs.changed-types == 'true'
   152	        uses: ./.github/actions/create-prerelease
   153	        with:
   154	          package-path: packages/types
   155	
   156	      - name: Bump common Solana & deploy
   157	        if: needs.setup.outputs.changed-common-solana == 'true'
   158	        uses: ./.github/actions/create-prerelease
   159	        with:
   160	          package-path: packages/common-solana
   161	
   162	      - name: Bump node & deploy
   163	        if: needs.setup.outputs.changed-node == 'true'
   164	        uses: ./.github/actions/create-prerelease
   165	        with:
   166	          package-path: packages/node
   167	
   168	
   169	      - name: Commit changes
   170	        uses: EndBug/add-and-commit@v9
   171	        with:
   172	          message: "[SKIP CI] Prerelease"
   173	          default_author: github_actions

</shell_result>


Script executed:

#!/bin/bash
# First, check the full create-prerelease action.yml file
echo "=== Full create-prerelease action.yml ==="
cat -n .github/actions/create-prerelease/action.yml

echo ""
echo "=== Searching for .npmrc or npmrc configuration files ==="
fd -t f '\.npmrc|npmrc' .

echo ""
echo "=== Checking for OIDC or getIDToken references in workflows ==="
rg -n 'getIDToken|OIDC|npm.*token|OIDC' '.github/workflows/' -i

echo ""
echo "=== Checking for npm configuration steps in publish workflow ==="
rg -n -A5 -B5 'npm.*config|\.npmrc' '.github/workflows/publish.yml'

Repository: subquery/subql-solana


<shell_result>
Repository: subquery/subql-solana
Exit code: 1

stdout:

=== Full create-prerelease action.yml ===
     1	# Composite action needed to access github context
     2	
     3	# This is to compensate for yarn 3 issue https://github.com/yarnpkg/berry/issues/3868
     4	name: 'Remove Stable Versions'
     5	description: 'This will remove stableVersion from packages for prerelease'
     6	inputs:
     7	  package-path:
     8	    description: 'package path to run action e.g. package/common'
     9	    required: true
    10	
    11	runs:
    12	  using: "composite"
    13	  steps:
    14	    - working-directory: ${{ github.workspace }}
    15	      run: node ${{ github.action_path }}/remove-stable-version.js ${{ github.workspace }}/${{ inputs.package-path }}
    16	      shell: bash
    17	
    18	    - working-directory: ${{ inputs.package-path }}
    19	      run: echo "Changes exist in ${{ inputs.package-path }}" && yarn version prerelease && yarn npm publish --access public --tag dev
    20	      shell: bash

=== Searching for .npmrc or npmrc configuration files ===

=== Checking for OIDC or getIDToken references in workflows ===
.github/workflows/publish.yml:10:  id-token: write  # Required for OIDC

=== Checking for npm configuration steps in publish workflow ===

</shell_result>


Script executed:

#!/bin/bash
# Check if there are any other npm/node setup actions or scripts
echo "=== Checking actions/setup-node@v5 for OIDC capabilities ==="
rg -n 'registry-url|scope\|npm-auth' '.github/workflows/publish.yml'

echo ""
echo "=== Checking remove-stable-version.js for any env setup ==="
if [ -f '.github/actions/create-prerelease/remove-stable-version.js' ]; then
  head -50 '.github/actions/create-prerelease/remove-stable-version.js'
fi

echo ""
echo "=== Check full create-release action for comparison ==="
cat -n '.github/actions/create-release/action.yml'

Repository: subquery/subql-solana


<shell_result>
Repository: subquery/subql-solana
Exit code: 0

stdout:

=== Checking actions/setup-node@v5 for OIDC capabilities ===

=== Checking remove-stable-version.js for any env setup ===
const fs = require('fs');
const myArgs = process.argv.slice(2);
const pJson = require(`${myArgs[0]}/package.json`)

if (pJson.stableVersion){
    delete pJson.stableVersion
    fs.writeFileSync(`${myArgs[0]}/package.json`, JSON.stringify(pJson, null, 2))
}

=== Check full create-release action for comparison ===
     1	# Composite action needed to access github context
     2	
     3	name: 'Create Release'
     4	description: 'This will publish to NPM registry and create Github release'
     5	inputs:
     6	  package-path: # id of input
     7	    description: 'package path to run action e.g. package/common'
     8	    required: true
     9	  repo-token:
    10	    description: 'token to create github release'
    11	    required: true
    12	
    13	runs:
    14	  using: "composite"
    15	  steps:
    16	    - working-directory: ${{ inputs.package-path }}
    17	      run: echo "Changes exist in ${{ inputs.package-path }}" && yarn npm publish --access public
    18	      shell: bash
    19	
    20	    - working-directory: ${{ github.workspace }}
    21	      run: node ${{ github.action_path }}/gh-release-script.js ${{ github.workspace }}/${{ inputs.package-path }} ${{ github.sha }}
    22	      env:
    23	        REPO_TOKEN: ${{ inputs.repo-token }}
    24	      shell: bash

</shell_result>


Script executed:

#!/bin/bash
echo "=== Searching for yarn config files ==="
fd -t f '\.yarnrc' .

echo ""
echo "=== Searching for .yarnrc.yml ==="
fd -t f '\.yarnrc\.yml' .

echo ""
echo "=== Full content if found ==="
if [ -f '.yarnrc.yml' ]; then
  cat -n '.yarnrc.yml'
fi

echo ""
echo "=== Checking for any npmrc or yarnrc in .github directory ==="
find .github -type f -name '.*rc*' 2>/dev/null

echo ""
echo "=== Check package.json scripts for npm config ==="
rg -n '"version|"publish' package.json -A2 -B2

Repository: subquery/subql-solana


<shell_result>
Repository: subquery/subql-solana
Exit code: 1

stdout:

=== Searching for yarn config files ===

=== Searching for .yarnrc.yml ===

=== Full content if found ===
     1	changesetBaseRefs:
     2	  - main
     3	  - origin/main
     4	
     5	changesetIgnorePatterns:
     6	  - .yarn/**/*
     7	
     8	compressionLevel: mixed
     9	
    10	enableGlobalCache: false
    11	
    12	enableImmutableInstalls: false
    13	
    14	enableProgressBars: false
    15	
    16	nodeLinker: node-modules
    17	
    18	npmAuthToken: "${NPM_TOKEN:-}"
    19	
    20	npmPublishRegistry: "https://registry.npmjs.org"
    21	
    22	yarnPath: .yarn/releases/yarn-4.12.0.cjs

=== Checking for any npmrc or yarnrc in .github directory ===

=== Check package.json scripts for npm config ===

</shell_result>


Perfect. Now I have all the information needed. The verification reveals a critical issue: The .yarnrc.yml file expects NPM_TOKEN environment variable (line 18), but the workflow never sets it despite having the id-token permission.

Here's the final rewritten review comment:


Verify OIDC token is exported to NPM_TOKEN environment variable before calling create-prerelease.

The npm-token input has been removed, aligning with the PR objective to migrate to NPM OIDC. However, the migration is incomplete: .yarnrc.yml (line 18) requires npmAuthToken: "${NPM_TOKEN:-}" to be set, but the publish.yml workflow never exports the OIDC token.

Current state:

  • publish.yml has permissions: id-token: write (line 10) ✓
  • Missing: No step calls core.getIDToken() to retrieve and export the OIDC token as NPM_TOKEN
  • create-prerelease action receives no authentication mechanism
  • yarn npm publish will fail with 401 Unauthorized when NPM_TOKEN evaluates to empty

Required fix: Add a step in the prerelease job to export the OIDC token:

- name: Get OIDC token
  id: oidc
  run: echo "NPM_TOKEN=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}?audience=npm")" >> $GITHUB_ENV
  env:
    ACTIONS_ID_TOKEN_REQUEST_URL: ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }}
    ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN }}

Or use an action like actions/create-github-app-token that exports NPM_TOKEN before calling create-prerelease.

Also applies to: 19-19

🤖 Prompt for AI Agents
.github/actions/create-prerelease/action.yml around lines 10 and 18-19: the
workflow sets id-token permission but never exports the OIDC token into the
NPM_TOKEN env var required by .yarnrc.yml (npmAuthToken: "${NPM_TOKEN:-}"),
causing publish to 401; add a step in the prerelease job before calling
create-prerelease that retrieves the OIDC token and writes it to GITHUB_ENV as
NPM_TOKEN (either by using core.getIDToken() or the documented curl call with
ACTIONS_ID_TOKEN_REQUEST_URL/TOKEN, or a maintained action like
actions/create-github-app-token) so create-prerelease and yarn npm publish
receive a populated NPM_TOKEN.

runs:
using: "composite"
steps:
Expand All @@ -19,7 +16,5 @@ runs:
shell: bash

- working-directory: ${{ inputs.package-path }}
run: echo "Changes exist in ${{ inputs.package-path }}" && yarn version prerelease && yarn npm publish --access public --tag dev
env:
NPM_TOKEN: ${{ inputs.npm-token }}
run: echo "Changes exist in ${{ inputs.package-path }}" && yarn version prerelease && yarn npm publish --access public --tag dev
shell: bash
11 changes: 3 additions & 8 deletions .github/actions/create-release/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,21 +9,16 @@ inputs:
repo-token:
description: 'token to create github release'
required: true
npm-token:
description: 'token to push to npm registry'
required: true


runs:
using: "composite"
steps:
- working-directory: ${{ inputs.package-path }}
run: echo "Changes exist in ${{ inputs.package-path }}" && yarn npm publish --access public
env:
NPM_TOKEN: ${{ inputs.npm-token }}
run: echo "Changes exist in ${{ inputs.package-path }}" && yarn npm publish --access public
shell: bash

- working-directory: ${{ github.workspace }}
run: node ${{ github.action_path }}/gh-release-script.js ${{ github.workspace }}/${{ inputs.package-path }} ${{ github.sha }}
env:
env:
REPO_TOKEN: ${{ inputs.repo-token }}
shell: bash
7 changes: 3 additions & 4 deletions .github/workflows/benchmark.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ jobs:

steps:
#Check out
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 100
token: ${{ secrets.REPO_TOKEN }}
Expand All @@ -82,12 +82,12 @@ jobs:
echo "::set-output name=network-endpoint::${NETWORK_ENDPOINT}"
echo "::add-mask::${NETWORK_ENDPOINT}"
# Store the prepared NETWORK_ENDPOINT in an environment variable
echo "NETWORK_ENDPOINT=${NETWORK_ENDPOINT}" >> $GITHUB_ENV
echo "NETWORK_ENDPOINT=${NETWORK_ENDPOINT}" >> $GITHUB_ENV

- name: Install Docker inside the container
run: |
apt-get update
apt-get install -y docker.io
apt-get install -y docker.io

- name: Install PostgreSQL client
run: |
Expand Down Expand Up @@ -201,4 +201,3 @@ jobs:
}
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}

2 changes: 1 addition & 1 deletion .github/workflows/discord.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:

steps:
- name: Send release details to Discord
uses: rjstone/discord-webhook-notify@v1
uses: rjstone/discord-webhook-notify@v2
with:
webhookUrl: ${{ secrets.DISCORD_RELEASE_NOTES_WEBHOOK }}
color: '#6499ff'
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/gh-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,12 @@ jobs:
runs-on: ubuntu-latest
steps:
#Check out
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 100

- name: Setup Node.js environment
uses: actions/setup-node@v4
uses: actions/setup-node@v5
with:
node-version: lts/*

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/node-docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
outputs:
changes_found: ${{ steps.check_changes.outputs.changes_found }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 2
- name: Check for package changes and commit message
Expand All @@ -39,7 +39,7 @@ jobs:
if: needs.check.outputs.changes_found == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 100
token: ${{ secrets.REPO_TOKEN }}
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,9 @@ jobs:
SUBQL_ACCESS_TOKEN_TEST: ${{ secrets.SUBQL_ACCESS_TOKEN_TEST }}
SUBQL_ORG_TEST: ${{ secrets.SUBQL_ORG_TEST }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Setup Node.js environment
uses: actions/setup-node@v4
uses: actions/setup-node@v5
with:
node-version: lts/*
- run: yarn
Expand Down Expand Up @@ -46,10 +46,10 @@ jobs:
DB_PORT: 5432
HTTP_ENDPOINT: ${{ secrets.HTTP_ENDPOINT }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5

- name: Setup Node.js environment
uses: actions/setup-node@v4
uses: actions/setup-node@v5
with:
node-version: lts/*

Expand Down
76 changes: 0 additions & 76 deletions .github/workflows/prerelease.yml

This file was deleted.

173 changes: 173 additions & 0 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
name: "Publish"
on:
push:
branches:
- main
paths-ignore:
- ".github/workflows/**"

permissions:
id-token: write # Required for OIDC
contents: read

concurrency:
group: publish
cancel-in-progress: false

jobs:

pre-ci:
name: Pre-CI (Extract Commit Message)
runs-on: ubuntu-latest
timeout-minutes: 1
outputs:
commit-message: ${{ steps.get_commit_message.outputs.commit-message }}
steps:
- uses: actions/checkout@v5
with:
fetch-depth: 0

- id: get_commit_message
run: |
COMMIT_MSG_TEMP="${{ github.event.head_commit.message }}"
if [ -n "$COMMIT_MSG_TEMP" ]
then
commit_msg="$COMMIT_MSG_TEMP"
echo "commit-message=${commit_msg}" | head -n 1 >> "$GITHUB_OUTPUT"
else
commit_message=$(git log -1 --pretty=%B | head -n 1)
echo "commit-message=$commit_message" >> "$GITHUB_OUTPUT"
fi
Comment on lines +30 to +40

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Fix potential shell injection vulnerability in commit message handling.

Line 32 directly uses github.event.head_commit.message in an inline script without proper escaping, creating a script injection vulnerability. Per GitHub's secure scripting guidelines, untrusted context values should be passed through environment variables instead.

Apply this diff to fix the injection vulnerability:

       - id: get_commit_message
         run: |
-          COMMIT_MSG_TEMP="${{ github.event.head_commit.message }}"
-          if [ -n "$COMMIT_MSG_TEMP" ]
+          if [ -n "$COMMIT_MSG_TEMP" ]
           then
-            commit_msg="$COMMIT_MSG_TEMP"
-            echo "commit-message=${commit_msg}" | head -n 1 >> "$GITHUB_OUTPUT"
+            echo "commit-message=$(echo "$COMMIT_MSG_TEMP" | head -n 1)" >> "$GITHUB_OUTPUT"
           else
             commit_message=$(git log -1 --pretty=%B | head -n 1)
             echo "commit-message=$commit_message" >> "$GITHUB_OUTPUT"
           fi
+        env:
+          COMMIT_MSG_TEMP: ${{ github.event.head_commit.message }}

This approach passes the untrusted value through an environment variable, then uses proper quoting to ensure it cannot break out of the script context.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- id: get_commit_message
run: |
COMMIT_MSG_TEMP="${{ github.event.head_commit.message }}"
if [ -n "$COMMIT_MSG_TEMP" ]
then
commit_msg="$COMMIT_MSG_TEMP"
echo "commit-message=${commit_msg}" | head -n 1 >> "$GITHUB_OUTPUT"
else
commit_message=$(git log -1 --pretty=%B | head -n 1)
echo "commit-message=$commit_message" >> "$GITHUB_OUTPUT"
fi
- id: get_commit_message
run: |
if [ -n "$COMMIT_MSG_TEMP" ]
then
echo "commit-message=$(echo "$COMMIT_MSG_TEMP" | head -n 1)" >> "$GITHUB_OUTPUT"
else
commit_message=$(git log -1 --pretty=%B | head -n 1)
echo "commit-message=$commit_message" >> "$GITHUB_OUTPUT"
fi
env:
COMMIT_MSG_TEMP: ${{ github.event.head_commit.message }}
🧰 Tools
🪛 actionlint (1.7.8)

31-31: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks for more details

(expression)

🤖 Prompt for AI Agents
.github/workflows/publish.yml lines 30-40: the inline script directly
interpolates github.event.head_commit.message into shell (possible shell
injection); instead expose that value via a step env variable and reference it
quoted inside the script. Update the step to set an env key (e.g.,
COMMIT_MSG_ENV: "${{ github.event.head_commit.message }}") and in the run block
read and test "$COMMIT_MSG_ENV" (always quoted), assign to commit_msg if
non-empty, otherwise fall back to git log; ensure no unquoted expansions or eval
are used so the untrusted value cannot break out of the script context.


- name: Debug commit message
run: |
echo "Commit message: ${{ steps.get_commit_message.outputs.commit-message }}"

setup:
name: Setup & Detect Changes
needs: pre-ci
runs-on: ubuntu-latest
outputs:
changed-types: ${{ steps.changed-types.outputs.changed }}
changed-common-solana: ${{ steps.changed-common-solana.outputs.changed }}
changed-node: ${{ steps.changed-node.outputs.changed }}
steps:
- uses: actions/checkout@v5
with:
fetch-depth: 100 # Needed to detect changes by having commit history

- uses: marceloprado/has-changed-path@v1
id: changed-types
with:
paths: packages/types

- uses: marceloprado/has-changed-path@v1
id: changed-common-solana
with:
paths: packages/common-solana

- uses: marceloprado/has-changed-path@v1
id: changed-node
with:
paths: packages/node

release:
name: Release Publish
needs: [pre-ci, setup]
if: >
!startsWith(github.event.head_commit.message, '[SKIP CI]')
&& startsWith(github.event.head_commit.message, '[release]')
&& github.repository == 'subquery/subql-solana'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
fetch-depth: 0

- name: Setup Node.js environment
uses: actions/setup-node@v5
with:
node-version: lts/*

- name: Update npm
run: npm install -g npm@latest

- run: yarn

- name: build
run: yarn build

# Publish to npm and github releases
- name: Publish Types
if: needs.setup.outputs.changed-types == 'true'
uses: ./.github/actions/create-release
with:
package-path: packages/types
repo-token: ${{ secrets.REPO_TOKEN }}

- name: Publish Common Solana
if: needs.setup.outputs.changed-common-solana == 'true'
uses: ./.github/actions/create-release
with:
package-path: packages/common-solana
repo-token: ${{ secrets.REPO_TOKEN }}

- name: Publish Node
if: needs.setup.outputs.changed-node == 'true'
uses: ./.github/actions/create-release
with:
package-path: packages/node
repo-token: ${{ secrets.REPO_TOKEN }}

prerelease:
name: Prerelease Publish
needs: [pre-ci, setup]
if: >
!startsWith(needs.pre-ci.outputs.commit-message, '[SKIP CI]')
&& !startsWith(needs.pre-ci.outputs.commit-message, '[release]')
&& github.repository == 'subquery/subql-solana'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
fetch-depth: 0
token: ${{ secrets.REPO_TOKEN }} # Needed to push changes back to repo

- name: Setup Node.js environment
uses: actions/setup-node@v5
with:
node-version: lts/*

- name: Update npm
run: npm install -g npm@latest

- run: yarn

- name: build
run: yarn build

# Prerelease publish steps
- name: Bump types & deploy
if: needs.setup.outputs.changed-types == 'true'
uses: ./.github/actions/create-prerelease
with:
package-path: packages/types

- name: Bump common Solana & deploy
if: needs.setup.outputs.changed-common-solana == 'true'
uses: ./.github/actions/create-prerelease
with:
package-path: packages/common-solana

- name: Bump node & deploy
if: needs.setup.outputs.changed-node == 'true'
uses: ./.github/actions/create-prerelease
with:
package-path: packages/node


- name: Commit changes
uses: EndBug/add-and-commit@v9
with:
message: "[SKIP CI] Prerelease"
default_author: github_actions
Loading
Loading