From ae287553c7273485bf9dc09b4d6a9f40c27a6a1f Mon Sep 17 00:00:00 2001 From: Squirrel Date: Thu, 11 Jun 2026 17:27:12 +0100 Subject: [PATCH] fix(ci): harden release workflow inputs Signed-off-by: Giles Cope --- .github/workflows/release-image.yml | 26 ++++++++++++++++++++------ .github/workflows/srtool-build.yml | 29 +++++++++++++++++++++++------ 2 files changed, 43 insertions(+), 12 deletions(-) diff --git a/.github/workflows/release-image.yml b/.github/workflows/release-image.yml index fa09770bb..703a9fdbd 100644 --- a/.github/workflows/release-image.yml +++ b/.github/workflows/release-image.yml @@ -82,6 +82,16 @@ jobs: echo "::error::At least one component must be selected for release. All three skip flags are set." exit 1 + - name: Validate suffix + if: inputs.suffix != '' + env: + SUFFIX: ${{ inputs.suffix }} + run: | + if [[ ! "$SUFFIX" =~ ^[0-9A-Za-z._-]+$ ]]; then + echo "::error::suffix may only contain letters, numbers, dots, underscores, and hyphens" + exit 1 + fi + prepare-release: permissions: contents: read @@ -620,8 +630,9 @@ jobs: - name: Extract node binary from Docker image if: inputs.skip-node != true id: extract-node + env: + PLATFORM: ${{ matrix.platform }} run: | - PLATFORM="${{ matrix.platform }}" NODE_IMAGE="ghcr.io/midnight-ntwrk/midnight-node:${IMAGE_TAG_RELEASE}" NODE_RELEASE="midnight-node-${IMAGE_TAG_RELEASE}-linux-${PLATFORM}.tar.gz" @@ -639,8 +650,9 @@ jobs: - name: Extract toolkit binary from Docker image if: inputs.skip-toolkit != true id: extract-toolkit + env: + PLATFORM: ${{ matrix.platform }} run: | - PLATFORM="${{ matrix.platform }}" TOOLKIT_IMAGE="ghcr.io/midnight-ntwrk/midnight-node-toolkit:${TOOLKIT_TAG_RELEASE}" TOOLKIT_RELEASE="midnight-node-toolkit-${TOOLKIT_TAG_RELEASE}-linux-${PLATFORM}.tar.gz" @@ -658,11 +670,12 @@ jobs: env: NODE_RELEASE: ${{ steps.extract-node.outputs.node_release }} TOOLKIT_RELEASE: ${{ steps.extract-toolkit.outputs.toolkit_release }} + PLATFORM: ${{ matrix.platform }} run: | - if [ -n "$NODE_RELEASE" ]; then sha256sum "$NODE_RELEASE" >> "SHA256SUMS-${{ matrix.platform }}"; fi - if [ -n "$TOOLKIT_RELEASE" ]; then sha256sum "$TOOLKIT_RELEASE" >> "SHA256SUMS-${{ matrix.platform }}"; fi + if [ -n "$NODE_RELEASE" ]; then sha256sum "$NODE_RELEASE" >> "SHA256SUMS-$PLATFORM"; fi + if [ -n "$TOOLKIT_RELEASE" ]; then sha256sum "$TOOLKIT_RELEASE" >> "SHA256SUMS-$PLATFORM"; fi echo "Generated checksums:" - cat "SHA256SUMS-${{ matrix.platform }}" + cat "SHA256SUMS-$PLATFORM" - name: Attest node release binary if: inputs.skip-node != true @@ -681,12 +694,13 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} NODE_FILE: ${{ steps.extract-node.outputs.node_release }} TOOLKIT_FILE: ${{ steps.extract-toolkit.outputs.toolkit_release }} + PLATFORM: ${{ matrix.platform }} run: | echo "Uploading assets to release: $GIT_TAG_RELEASE" FILES=() [ -n "$NODE_FILE" ] && FILES+=("$NODE_FILE") [ -n "$TOOLKIT_FILE" ] && FILES+=("$TOOLKIT_FILE") - FILES+=("SHA256SUMS-${{ matrix.platform }}") + FILES+=("SHA256SUMS-$PLATFORM") gh release upload --repo "$GITHUB_REPOSITORY" "$GIT_TAG_RELEASE" "${FILES[@]}" srtool-build: diff --git a/.github/workflows/srtool-build.yml b/.github/workflows/srtool-build.yml index a90a13bf3..5674c23d6 100644 --- a/.github/workflows/srtool-build.yml +++ b/.github/workflows/srtool-build.yml @@ -62,6 +62,16 @@ jobs: run: | . ./.envrc && earthly +srtool-build + - name: Validate runtime tag release + if: inputs.runtime-tag-release != '' + env: + RTAG: ${{ inputs.runtime-tag-release }} + run: | + if [[ ! "$RTAG" =~ ^[0-9A-Za-z._-]+$ ]]; then + echo "::error::runtime-tag-release may only contain letters, numbers, dots, underscores, and hyphens" + exit 1 + fi + - name: Rename WASM assets with version if: inputs.runtime-tag-release != '' env: @@ -97,12 +107,16 @@ jobs: - name: Generate checksums if: inputs.release-tag != '' + env: + WASM_FILE: ${{ steps.wasm-names.outputs.wasm }} + COMPACT_WASM_FILE: ${{ steps.wasm-names.outputs.compact }} + COMPRESSED_WASM_FILE: ${{ steps.wasm-names.outputs.compressed }} run: | cd artifacts/srtool || exit 1 { - sha256sum "${{ steps.wasm-names.outputs.wasm }}" - sha256sum "${{ steps.wasm-names.outputs.compact }}" - sha256sum "${{ steps.wasm-names.outputs.compressed }}" + sha256sum "$WASM_FILE" + sha256sum "$COMPACT_WASM_FILE" + sha256sum "$COMPRESSED_WASM_FILE" } >> SHA256SUMS-srtool echo "Generated checksums:" @@ -131,12 +145,15 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} RELEASE_TAG: ${{ inputs.release-tag }} + WASM_FILE: ${{ steps.wasm-names.outputs.wasm }} + COMPACT_WASM_FILE: ${{ steps.wasm-names.outputs.compact }} + COMPRESSED_WASM_FILE: ${{ steps.wasm-names.outputs.compressed }} run: | cd artifacts/srtool || exit 1 echo "Uploading srtool artifacts to release: $RELEASE_TAG" gh release upload --clobber --repo "$GITHUB_REPOSITORY" "$RELEASE_TAG" \ - "${{ steps.wasm-names.outputs.wasm }}" \ - "${{ steps.wasm-names.outputs.compact }}" \ - "${{ steps.wasm-names.outputs.compressed }}" \ + "$WASM_FILE" \ + "$COMPACT_WASM_FILE" \ + "$COMPRESSED_WASM_FILE" \ srtool-digest.json \ SHA256SUMS-srtool