Fix release notes diff in github release actions#1882
Conversation
rozza
left a comment
rozza
left a comment
There was a problem hiding this comment.
One question about fetch depth.
| with: | ||
| app_id: ${{ vars.APP_ID }} | ||
| private_key: ${{ secrets.APP_PRIVATE_KEY }} | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
What does this do?
I think fetch-depth: 0 fetches all history for all branches and tags. But is it just for the mongodb-labs/drivers-github-tools/secure-checkout or is it for the java driver repo itself?
There was a problem hiding this comment.
@rozza yes fetch-depth 0 fetches all branches and tags.
Per the GitHub Actions documentation (https://docs.github.com/en/actions/tutorials/create-an-example-workflow), drivers-github-tools is only pulled internally to run the action itself. The checkout operates on github.ref.
There was a problem hiding this comment.
Have we tested this in the fork yet? I also noticed the note: "Needs to be tested by triggering GitHub Actions manually before merging.”
There was a problem hiding this comment.
atandon2024
force-pushed
the
fix-github-release-notes
branch
from
1f0c2bf to
f4ec15e
Compare
![semgrep-code-mongodb[bot]](https://avatars.githubusercontent.com/u/45120?s=60&v=4){kind=small}
|
Semgrep found 1 Using variable interpolation 🛟 Help? Slack #semgrep-help or go/semgrep-help. Resolution Options:
|
…hub-release-notes
atandon2024
force-pushed
the
fix-github-release-notes
branch
from
95ee4ef to
cd8c537
Compare
| run: | | ||
| echo CURRENT_TAG=$(git \ | ||
| -c versionsort.suffix=-alpha \ | ||
| -c versionsort.suffix=-beta \ | ||
| -c versionsort.suffix=-rc \ | ||
| tag --list 'r*' --sort=-v:refname | head -n 1) >> $GITHUB_ENV | ||
| echo RELEASE_VERSION=${{ inputs.version }} >> $GITHUB_ENV | ||
| echo RELEASE_VERSION_WITHOUT_SUFFIX=$(echo ${{ inputs.version }} | awk -F- '{print $1}') >> $GITHUB_ENV | ||
| if [[ "${{ inputs.version }}" =~ (alpha|beta|rc)[0-9]+$ ]]; then |
There was a problem hiding this comment.
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
🌟 Fixed in commit 61f89a9 🌟
atandon2024
force-pushed
the
fix-github-release-notes
branch
from
cc90723 to
cd8c537
Compare
| if [[ "${{ inputs.version }}" =~ (alpha|beta|rc)[0-9]+$ ]]; then | ||
| echo NEXT_VERSION=$(echo ${{ inputs.version }} | awk -F- '{print $1}') >> $GITHUB_ENV | ||
| echo RELEASE_BRANCH=${{ github.ref_name }} >> $GITHUB_ENV | ||
| echo CURRENT_TAG=$(git \ |
There was a problem hiding this comment.
this git command is somewhat complex. what it does - a) get all tags b) teaches git that those suffixes make a version lower than just the minor/major version c) get the first one in the list (which is the most current tag)
3 participants
Fix GitHub Actions release notes generation - Corrects an issue where draft release notes included commits from earlier releases due to an incorrect comparison range. Additional changes were necessary due to feedback from the semgrep-code bot, specifically moving variables to env vars.
Tested: https://github.com/atandon2024/mongo-java-driver/releases/tag/untagged-d68ec2c3f4e63cb2b5e0