Skip to content

Comments

Validate VERSION before writing to GITHUB_OUTPUT in monorepo-release workflow#85

Open
Copilot wants to merge 2 commits intomainfrom
copilot/validate-version-format
Open

Validate VERSION before writing to GITHUB_OUTPUT in monorepo-release workflow#85
Copilot wants to merge 2 commits intomainfrom
copilot/validate-version-format

Conversation

Copy link
Contributor

Copilot AI commented Feb 19, 2026
edited
Loading

Summary

VERSION extracted from pyproject.toml in monorepo-release.yml was written directly to $GITHUB_OUTPUT without validation. A newline-containing version string (e.g., 1.0.0\nGH_TOKEN=leaked) could inject arbitrary key-value pairs into GITHUB_OUTPUT, poisoning subsequent steps. This also silently produced a tag named v if the grep/sed pattern failed to match.

Adds the same validation guard already present in python-release.yml, applied immediately after extraction and before any output is written:

if [[ ! "$VERSION" =~ ^[0-9a-zA-Z._-]+$ ]]; then
  echo "::error::Unexpected version format: '${VERSION}'" >&2
  exit 1
fi

Testing

  • Not run (why?)
  • uv run poe check
  • Other: CodeQL scan — 0 alerts

Checklist

  • Linked issue or task reference
  • Added/updated tests where relevant
  • Updated docs/README if needed
  • No secrets or sensitive data added
  • Considered backward compatibility and deployment impact

Additional context

Original prompt

This section details on the original issue you should resolve

<issue_title>Validate VERSION before writing to GITHUB_OUTPUT in monorepo-release workflow to prevent newline injection</issue_title>
<issue_description>## Summary

The VERSION value extracted from pyproject.toml in .github/workflows/monorepo-release.yml is written directly to $GITHUB_OUTPUT without any format validation. A version string containing a newline character (e.g., version = "1.0.0\nGH_TOKEN=leaked") could inject arbitrary key-value pairs into GITHUB_OUTPUT, potentially poisoning subsequent workflow steps.

File & Location

  • File: .github/workflows/monorepo-release.yml
  • Line: 48

Original Review Comment

Category: CI/CD and GitHub Actions Security
Severity: Medium

The VERSION value extracted from pyproject.toml is written directly to $GITHUB_OUTPUT without any format validation. A version string that contains a newline character (e.g., version = "1.0.0\nGH_TOKEN=leaked") could inject arbitrary key-value pairs into GITHUB_OUTPUT, potentially poisoning subsequent steps.

By contrast, python-release.yml correctly validates wheel-derived values before using them:

if [[ ! "$NAME" =~ ^[a-zA-Z0-9_-]+$ ]] || [[ ! "$VERSION" =~ ^[0-9a-zA-Z._-]+$ ]]; then
  echo "::error::Unexpected wheel name/version format …" >&2
  exit 1
fi

Recommendation: Add an equivalent validation step immediately after extracting VERSION:

VERSION=$(grep -m1 '^version' pyproject.toml \
  | sed 's/version *= *"\(.*\)"/\1/')

# Validate format before writing to GITHUB_OUTPUT
if [[ ! "$VERSION" =~ ^[0-9a-zA-Z._-]+$ ]]; then
  echo "::error::Unexpected version format: '${VERSION}'" >&2
  exit 1
fi

echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
echo "tag=v${VERSION}" >> "$GITHUB_OUTPUT"

This also protects against an empty VERSION (if the grep/sed pattern fails to match), which would otherwise silently create a tag named v.

Proposed Fix

Add a format validation step immediately after extracting VERSION and before writing to GITHUB_OUTPUT, mirroring the pattern already used in python-release.yml:

if [[ ! "$VERSION" =~ ^[0-9a-zA-Z._-]+$ ]]; then
  echo "::error::Unexpected version format: '${VERSION}'" >&2
  exit 1
fi

Related PR: #51
Review comment: #51 (comment)

Generated by PR Review Comment — Create Issue for PR #51

Generated by PR Review Comment — Create Issue for issue #51

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@pmalarme
Validate VERSION format before writing to GITHUB_OUTPUT in monorepo-r…
1c83829 
…elease workflow

Co-authored-by: pmalarme <686568+pmalarme@users.noreply.github.com>
Copilot AI changed the title [WIP] Validate VERSION before writing to GITHUB_OUTPUT Validate VERSION before writing to GITHUB_OUTPUT in monorepo-release workflow Feb 19, 2026
Copilot AI requested a review from pmalarme February 19, 2026 22:12
@pmalarme pmalarme marked this pull request as ready for review February 19, 2026 22:14
Copilot AI review requested due to automatic review settings February 19, 2026 22:14
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request addresses a security vulnerability in the monorepo-release workflow by adding validation for the VERSION value extracted from pyproject.toml before it is written to GITHUB_OUTPUT. Without validation, a malicious version string containing newlines could inject arbitrary key-value pairs into the workflow output, potentially poisoning subsequent steps. The fix mirrors the existing security pattern already implemented in python-release.yml.

Changes:

  • Added regex validation (^[0-9a-zA-Z._-]+$) for VERSION immediately after extraction and before writing to GITHUB_OUTPUT
  • Added error handling that exits with status 1 if the VERSION format is unexpected

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pmalarme pmalarme Awaiting requested review from pmalarme

Assignees

@pmalarme pmalarme

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Validate VERSION before writing to GITHUB_OUTPUT in monorepo-release workflow to prevent newline injection

2 participants

@pmalarme