Skip to content

Fix release notes diff in github release actions #1882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
atandon2024 wants to merge 8 commits into
base: main
Choose a base branch
from
+44 −33
Open

Fix release notes diff in github release actions #1882

Changes from 7 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
338729b
Fix github release note diff
atandon2024 Jan 29, 2026
eee55d3
remove config files
atandon2024 Jan 29, 2026
31ccd27
updtaes to release yml
atandon2024 Feb 6, 2026
628585f
Merge branch 'mongodb:main' into main
atandon2024 Feb 6, 2026
7814ee9
Revisions to release yml
atandon2024 Feb 6, 2026
5b68b5b
change current tag command in release yml to fix alpha/beta/rc diffs
atandon2024 May 18, 2026
cd8c537
Merge branch 'revised-fix-for-github-alpha-beta-release' into fix-git…
atandon2024 May 18, 2026
61f89a9
fixed security injection semgrep
atandon2024 May 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Copy link
Copy Markdown
Member

@vbabanin vbabanin Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have we tested this in the fork yet? I also noticed the note: "Needs to be tested by triggering GitHub Actions manually before merging.”

Copy link
Copy Markdown
Author

@atandon2024 atandon2024 May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vbabanin tested finally - https://github.com/atandon2024/mongo-java-driver/releases/tag/untagged-d68ec2c3f4e63cb2b5e0

Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,12 @@ jobs:
steps:
- name: "Create release output"
run: echo '🎬 Release process for version ${{ env.RELEASE_VERSION }} started by @${{ github.triggering_actor }}' >> $GITHUB_STEP_SUMMARY

- uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
with:
app_id: ${{ vars.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
fetch-depth: 0
Copy link
Copy Markdown
Member

@rozza rozza Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does this do?

I think fetch-depth: 0 fetches all history for all branches and tags. But is it just for the mongodb-labs/drivers-github-tools/secure-checkout or is it for the java driver repo itself?

Copy link
Copy Markdown
Author

@atandon2024 atandon2024 Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rozza yes fetch-depth 0 fetches all branches and tags.

Per the GitHub Actions documentation (https://docs.github.com/en/actions/tutorials/create-an-example-workflow), drivers-github-tools is only pulled internally to run the action itself. The checkout operates on github.ref.


- name: "Store version numbers in env variables"
# The awk command to increase the version number was copied from
Expand All @@ -43,6 +44,11 @@ jobs:
# Example: 5.2.0 => 5.2.x
# Example: 5.2.0-beta1 => <current branch>
run: |
echo CURRENT_TAG=$(git \
Copy link
Copy Markdown
Author

@atandon2024 atandon2024 May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this git command is somewhat complex. what it does - a) get all tags b) teaches git that those suffixes make a version lower than just the minor/major version c) get the first one in the list (which is the most current tag)

-c versionsort.suffix=-alpha \
-c versionsort.suffix=-beta \
-c versionsort.suffix=-rc \
tag --list 'r*' --sort=-v:refname | head -n 1) >> $GITHUB_ENV
echo RELEASE_VERSION=${{ inputs.version }} >> $GITHUB_ENV
echo RELEASE_VERSION_WITHOUT_SUFFIX=$(echo ${{ inputs.version }} | awk -F- '{print $1}') >> $GITHUB_ENV
if [[ "${{ inputs.version }}" =~ (alpha|beta|rc)[0-9]+$ ]]; then
Copy link
Copy Markdown

@semgrep-code-mongodb semgrep-code-mongodb Bot May 18, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

🌟 Fixed in commit 61f89a9 🌟

Expand Down Expand Up @@ -130,6 +136,7 @@ jobs:
--target ${{ env.RELEASE_BRANCH }} \
--title "Java Driver ${{ env.RELEASE_VERSION }} ($(date '+%B %d, %Y'))" \
--generate-notes \
--notes-start-tag "${{ env.CURRENT_TAG }}" \
--draft\
)" >> "$GITHUB_ENV"

Expand Down