Skip to content

Move release and tag version into env vars to prevent template injection #2049

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
adamtheturtle merged 4 commits into from
Mar 17, 2026
+57 −25
Merged

Move release and tag version into env vars to prevent template injection #2049

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
222811e
Move release and tag version into env vars to prevent template injection
adamtheturtle Mar 17, 2026
09ccad2
Enable template-injection rule in zizmor config
adamtheturtle Mar 17, 2026
2fe3755
Fix template-injection in Check steps
adamtheturtle Mar 17, 2026
8245c36
Fix remaining template-injection findings and check-manifest
adamtheturtle Mar 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 57 additions & 23 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,10 @@ jobs:

- name: Get the changelog underline
id: changelog_underline
env:
RELEASE: ${{ steps.calver.outputs.release }}
run: |
underline="$(echo "${{ steps.calver.outputs.release }}" | tr -c '\n' '-')"
underline="$(echo "$RELEASE" | tr -c '\n' '-')"
echo "underline=${underline}" >> "$GITHUB_OUTPUT"

- name: Update changelog
Expand All @@ -73,15 +75,19 @@ jobs:
regex: false

- name: Check Update changelog was modified
env:
MODIFIED_FILES: ${{ steps.update_changelog.outputs.modifiedFiles }}
run: |
if [ "${{ steps.update_changelog.outputs.modifiedFiles }}" = "0" ]; then
if [ "$MODIFIED_FILES" = "0" ]; then
echo "Error: No files were modified when updating changelog"
exit 1
fi

- name: Update VERSION file for Nix flake
env:
RELEASE: ${{ steps.calver.outputs.release }}
run: |
echo "${{ steps.calver.outputs.release }}" > VERSION
echo "$RELEASE" > VERSION

- uses: stefanzweifel/git-auto-commit-action@v7
id: commit
Expand All @@ -101,16 +107,20 @@ jobs:
commit_sha: ${{ steps.commit.outputs.commit_hash }}

- name: Checkout the latest tag - the one we just created
env:
NEW_TAG: ${{ steps.tag_version.outputs.new_tag }}
run: |
git fetch --tags
git checkout ${{ steps.tag_version.outputs.new_tag }}
git checkout "$NEW_TAG"

- name: Build a binary wheel and a source tarball
id: build-wheel
env:
NEW_TAG: ${{ steps.tag_version.outputs.new_tag }}
run: |
sudo rm -rf dist/ build/
git fetch --tags
git checkout ${{ steps.tag_version.outputs.new_tag }}
git checkout "$NEW_TAG"
uv build --sdist --wheel --out-dir dist/
WHEEL="$(ls dist/*.whl)"
uv run --extra=release check-wheel-contents "${WHEEL}"
Expand All @@ -129,10 +139,12 @@ jobs:
# Here, we give PyPI time to propagate the package.
- name: Install package from PyPI
uses: nick-fields/retry@v3
env:
RELEASE: ${{ steps.calver.outputs.release }}
with:
timeout_seconds: 5
max_attempts: 50
command: uv pip install --refresh vws-cli==${{ steps.calver.outputs.release }}
command: uv pip install --refresh vws-cli=="$RELEASE"

- name: Set up Homebrew filename
id: set-homebrew-filename
Expand All @@ -143,11 +155,14 @@ jobs:
- name: Create a Homebrew recipe
id: homebrew-create
uses: nick-fields/retry@v3
env:
RELEASE: ${{ steps.calver.outputs.release }}
HOMEBREW_FILENAME: ${{ steps.set-homebrew-filename.outputs.filename }}
with:
timeout_seconds: 5
max_attempts: 50
command: |
uv run --no-cache --with="vws-cli==${{ steps.calver.outputs.release }}" --extra=release poet --formula vws-cli > ${{ steps.set-homebrew-filename.outputs.filename }}
uv run --no-cache --with="vws-cli==$RELEASE" --extra=release poet --formula vws-cli > "$HOMEBREW_FILENAME"

- name: Update Homebrew description
id: update_homebrew_description
Expand All @@ -159,8 +174,10 @@ jobs:
regex: false

- name: Check Update Homebrew description was modified
env:
MODIFIED_FILES: ${{ steps.update_homebrew_description.outputs.modifiedFiles }}
run: |
if [ "${{ steps.update_homebrew_description.outputs.modifiedFiles }}" = "0" ]; then
if [ "$MODIFIED_FILES" = "0" ]; then
echo "Error: No files were modified when updating Homebrew description"
exit 1
fi
Expand Down Expand Up @@ -219,15 +236,19 @@ jobs:
# We normalize the version (e.g., 2026.01.22 -> 2026.1.22) for PyPI lookup.
- name: Wait for PyPI propagation
uses: nick-fields/retry@v3
env:
NEW_TAG: ${{ needs.build.outputs.new_tag }}
with:
timeout_seconds: 10
max_attempts: 50
command: |
normalized_version=$(echo "${{ needs.build.outputs.new_tag }}" | sed -E 's/\.0+([0-9])/.\1/g')
normalized_version=$(echo "$NEW_TAG" | sed -E 's/\.0+([0-9])/.\1/g')
curl -sf "https://pypi.org/pypi/vws-cli/${normalized_version}/json" > /dev/null

- name: Create requirements file
run: echo "vws-cli==${{ needs.build.outputs.new_tag }}" > requirements.txt
env:
NEW_TAG: ${{ needs.build.outputs.new_tag }}
run: echo "vws-cli==$NEW_TAG" > requirements.txt

- name: Create Linux binary
uses: sayyid5416/pyinstaller@v1
Expand All @@ -243,8 +264,9 @@ jobs:
- name: Upload Linux binary to release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NEW_TAG: ${{ needs.build.outputs.new_tag }}
run: |
gh release upload ${{ needs.build.outputs.new_tag }} dist/${{ matrix.binary.name }} --clobber
gh release upload "$NEW_TAG" dist/${{ matrix.binary.name }} --clobber

publish-docker:
name: Publish Docker image
Expand Down Expand Up @@ -279,15 +301,17 @@ jobs:
# check, so we retry.
- name: Build and push Docker image
uses: nick-fields/retry@v3
env:
NEW_TAG: ${{ needs.build.outputs.new_tag }}
with:
timeout_minutes: 10
max_attempts: 5
command: |-
docker buildx build \
--push \
--platform linux/amd64,linux/arm64 \
--build-arg VWS_CLI_VERSION=${{ needs.build.outputs.new_tag }} \
--tag ghcr.io/vws-python/vws-cli:${{ needs.build.outputs.new_tag }} \
--build-arg VWS_CLI_VERSION="$NEW_TAG" \
--tag ghcr.io/vws-python/vws-cli:"$NEW_TAG" \
--tag ghcr.io/vws-python/vws-cli:latest \
.

Expand Down Expand Up @@ -317,16 +341,20 @@ jobs:
# We normalize the version (e.g., 2026.01.22 -> 2026.1.22) for PyPI lookup.
- name: Wait for PyPI propagation
uses: nick-fields/retry@v3
env:
NEW_TAG: ${{ needs.build.outputs.new_tag }}
with:
timeout_seconds: 10
max_attempts: 50
shell: bash
command: |
normalized_version=$(echo "${{ needs.build.outputs.new_tag }}" | sed -E 's/\.0+([0-9])/.\1/g')
normalized_version=$(echo "$NEW_TAG" | sed -E 's/\.0+([0-9])/.\1/g')
curl -sf "https://pypi.org/pypi/vws-cli/${normalized_version}/json" > /dev/null

- name: Create requirements file
run: echo "vws-cli==${{ needs.build.outputs.new_tag }}" > requirements.txt
env:
NEW_TAG: ${{ needs.build.outputs.new_tag }}
run: echo "vws-cli==$NEW_TAG" > requirements.txt
Copy link

@cursor cursor bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Windows steps use Bash env syntax

High Severity

In build-windows, run blocks reference NEW_TAG as $NEW_TAG, but default Windows shell is PowerShell. That syntax reads an undefined PowerShell variable, not the env var from env:. This makes requirements.txt version empty and causes gh release upload to run with an empty tag.

Additional Locations (1)
Fix in Cursor Fix in Web


- name: Create Windows binary for Vuforia Cloud Reco
uses: sayyid5416/pyinstaller@v1
Expand Down Expand Up @@ -364,10 +392,11 @@ jobs:
- name: Upload Windows binaries to release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NEW_TAG: ${{ needs.build.outputs.new_tag }}
run: |-
gh release upload ${{ needs.build.outputs.new_tag }} dist/vws-windows.exe --clobber
gh release upload ${{ needs.build.outputs.new_tag }} dist/vuforia-cloud-reco-windows.exe --clobber
gh release upload ${{ needs.build.outputs.new_tag }} dist/vumark-windows.exe --clobber
gh release upload "$NEW_TAG" dist/vws-windows.exe --clobber
gh release upload "$NEW_TAG" dist/vuforia-cloud-reco-windows.exe --clobber
gh release upload "$NEW_TAG" dist/vumark-windows.exe --clobber

build-macos:
name: Build macOS binaries
Expand All @@ -390,15 +419,19 @@ jobs:
# We normalize the version (e.g., 2026.01.22 -> 2026.1.22) for PyPI lookup.
- name: Wait for PyPI propagation
uses: nick-fields/retry@v3
env:
NEW_TAG: ${{ needs.build.outputs.new_tag }}
with:
timeout_seconds: 10
max_attempts: 50
command: |
normalized_version=$(echo "${{ needs.build.outputs.new_tag }}" | sed -E 's/\.0+([0-9])/.\1/g')
normalized_version=$(echo "$NEW_TAG" | sed -E 's/\.0+([0-9])/.\1/g')
curl -sf "https://pypi.org/pypi/vws-cli/${normalized_version}/json" > /dev/null

- name: Create requirements file
run: echo "vws-cli==${{ needs.build.outputs.new_tag }}" > requirements.txt
env:
NEW_TAG: ${{ needs.build.outputs.new_tag }}
run: echo "vws-cli==$NEW_TAG" > requirements.txt

- name: Create macOS binary for Vuforia Cloud Reco
uses: sayyid5416/pyinstaller@v1
Expand Down Expand Up @@ -436,10 +469,11 @@ jobs:
- name: Upload macOS binaries to release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NEW_TAG: ${{ needs.build.outputs.new_tag }}
run: |-
gh release upload ${{ needs.build.outputs.new_tag }} dist/vws-macos --clobber
gh release upload ${{ needs.build.outputs.new_tag }} dist/vuforia-cloud-reco-macos --clobber
gh release upload ${{ needs.build.outputs.new_tag }} dist/vumark-macos --clobber
gh release upload "$NEW_TAG" dist/vws-macos --clobber
gh release upload "$NEW_TAG" dist/vuforia-cloud-reco-macos --clobber
gh release upload "$NEW_TAG" dist/vumark-macos --clobber

publish-to-winget:
name: Publish to WinGet
Expand Down
2 changes: 0 additions & 2 deletions zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,6 @@ rules:
disable: true
dependabot-cooldown:
disable: true
template-injection:
disable: true
superfluous-actions:
disable: true
artipacked:
Expand Down
Loading