ci(workflows): use environment variables in scripts to prevent command injection

[adrianschmidt]

fix: #3561

Summary by CodeRabbit

• Chores
  • Improved consistency and clarity in workflow scripts by switching from inline variable interpolation to using environment variables in GitHub Actions and related scripts.
  • Simplified documentation publishing and cleanup workflows by standardizing variable usage.
  • Updated help messaging in documentation publishing script for clarity.

Review:

• Commits are atomic
• Commits have the correct type for the changes made
• Commits with breaking changes are marked as such

Browsers tested:

(Check any that applies, it's ok to leave boxes unchecked if testing something didn't seem relevant.)

Windows:

• Chrome
• Edge
• Firefox

Linux:

• Chrome
• Firefox

macOS:

• Chrome
• Firefox
• Safari

Mobile:

• Chrome on Android
• iOS

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

"""

Walkthrough

The changes refactor several GitHub Actions workflows and related scripts to replace direct variable interpolation in shell commands with the use of environment variables. This adjustment is applied consistently across workflow files and scripts, affecting how inputs, secrets, and other variables are referenced within shell scripts, without altering the underlying logic or functionality.

Changes

File(s)	Change Summary
.github/actions/upload-frontend-build-output-to-s3/action.yml	Updated to set PACKAGE_VERSION as an environment variable and use it in shell commands instead of direct input interpolation. Quoted tar extraction and AWS S3 copy commands to handle special characters in paths.
.github/workflows/cleanup.yml .github/workflows/pr-checks.yml	Refactored workflow steps to assign variables (e.g., PR number, merge token) as environment variables and reference them in shell commands, replacing inline GitHub Actions expression syntax.
.github/workflows/create-backport-branch.yml	Modified to pass both inputs and outputs as environment variables to shell scripts in each step, replacing direct ${{ }} interpolation in command strings. Quoted $GITHUB_OUTPUT in output appends for consistency.
.github/workflows/publish-docs.yml	Changed to use environment variables for inputs and to construct conditional arguments in a multi-line shell script, replacing inline conditional interpolation in the npm publish command.
publish-docs.js	Simplified help message by removing author options; updated commit logic to use the COMMIT_MESSAGE environment variable for the commit message instead of direct string interpolation. Enhanced commit failure handling to ignore "nothing to commit" errors.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub Actions Workflow
    participant Shell Script/Command
    participant Environment Variables

    GitHub Actions Workflow->>Environment Variables: Set variables (e.g., PR_NUMBER, PACKAGE_VERSION)
    GitHub Actions Workflow->>Shell Script/Command: Run script referencing env vars (e.g., $PR_NUMBER)
    Shell Script/Command->>Environment Variables: Access variables via $VAR
    Shell Script/Command->>Shell Script/Command: Execute logic using env vars

Loading

Assessment against linked issues

Objective	Addressed	Explanation
Replace direct variable interpolation in shell commands with environment variables in all workflows (#3561)	✅

Possibly related PRs

• ci(workflows): use environment variables in scripts to prevent command injection #3564: Makes identical changes to GitHub Actions workflows by replacing inline shell variable interpolations with environment variables, indicating a direct relation.

Suggested reviewers

• anderssonjohan
  """

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

npm warn config production Use --omit=dev instead.
npm error Exit handler never called!
npm error This is an error with npm itself. Please report this error at:
npm error https://github.com/npm/cli/issues
npm error A complete log of this run can be found in: /.npm/_logs/2025-05-28T10_52_32_896Z-debug-0.log

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d4084fd and 4ca7a37.

📒 Files selected for processing (6)

• .github/actions/upload-frontend-build-output-to-s3/action.yml (1 hunks)
• .github/workflows/cleanup.yml (1 hunks)
• .github/workflows/create-backport-branch.yml (2 hunks)
• .github/workflows/pr-checks.yml (1 hunks)
• .github/workflows/publish-docs.yml (1 hunks)
• publish-docs.js (1 hunks)

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[Copilot]

Pull Request Overview

This PR refactors the publish-docs.js script and several GitHub Actions workflows to pass runtime parameters via environment variables instead of inline string interpolation, mitigating command‐injection risks.

• Removed direct --authorName/--authorEmail flags and introduced COMMIT_MESSAGE env var in publish-docs.js.
• Updated publish-docs.yml, pr-checks.yml, create-backport-branch.yml, and cleanup.yml to export inputs as environment variables (e.g. DOCS_VERSION, PR_NUMBER) and reference them in shell steps.
• Modified the S3 upload action to use a PACKAGE_VERSION env var for the destination path.

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
publish-docs.js	Removed author flags and now injects COMMIT_MESSAGE via env.
.github/workflows/publish-docs.yml	Introduced DOCS_VERSION and FORCE_PUSH env vars.
.github/workflows/pr-checks.yml	Moved PR number and token into PR_NUMBER/MERGE_TOKEN env.
.github/workflows/create-backport-branch.yml	Exported version inputs as LAST_RELEASE_VERSION/NEW_RELEASE_VERSION env.
.github/workflows/cleanup.yml	Added PR_NUMBER env var for --remove=PR-$PR_NUMBER.
.github/actions/upload-frontend-build-output-to-s3/action.yml	Added PACKAGE_VERSION env var for S3 path.

Comments suppressed due to low confidence (2)

publish-docs.js:50

• The usage output should be updated to document the new COMMIT_MESSAGE environment variable and remove references to the deprecated --authorName/--authorEmail flags to keep the help text accurate.

usage: npm run docs:publish [-- [--v=<version>] [--remove=<pattern>]

publish-docs.js:380

• Add unit or integration tests to cover the new commit logic using COMMIT_MESSAGE to ensure the script behaves correctly when environment variables are set or missing.

function commit(message) {

[github-actions]

Documentation has been published to https://lundalogik.github.io/lime-elements/versions/PR-3564/

[coderabbitai]

Actionable comments posted: 1

🔭 Outside diff range comments (1)

.github/workflows/create-backport-branch.yml (1)

53-60: 🧹 Nitpick (assertive)

Apply same quoting to $GITHUB_OUTPUT
Consistently wrap $GITHUB_OUTPUT in quotes for this step as well:

- echo "new_major=$new_major" >> $GITHUB_OUTPUT
- echo "new_minor=$new_minor" >> $GITHUB_OUTPUT
+ echo "new_major=$new_major" >> "$GITHUB_OUTPUT"
+ echo "new_minor=$new_minor" >> "$GITHUB_OUTPUT"

♻️ Duplicate comments (1)

.github/workflows/publish-docs.yml (1)

48-53: 🧹 Nitpick (assertive)

Quote environment variables to prevent word splitting

While using environment variables is a good security practice, the variables should be quoted in the shell command to prevent word splitting or unintended globbing if they contain spaces or special characters.

-        npm run docs:publish -- --v=$DOCS_VERSION $FORCE_PUSH_PARAM
+        npm run docs:publish -- --v="$DOCS_VERSION" "$FORCE_PUSH_PARAM"

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 630d258 and a3cc3f7.

📒 Files selected for processing (6)

• .github/actions/upload-frontend-build-output-to-s3/action.yml (1 hunks)
• .github/workflows/cleanup.yml (1 hunks)
• .github/workflows/create-backport-branch.yml (6 hunks)
• .github/workflows/pr-checks.yml (1 hunks)
• .github/workflows/publish-docs.yml (1 hunks)
• publish-docs.js (1 hunks)

🔇 Additional comments (8)

.github/actions/upload-frontend-build-output-to-s3/action.yml (1)

26-32: Good security improvement with environment variables!

Using environment variables instead of direct variable interpolation in shell commands is an excellent security practice that prevents potential command injection vulnerabilities. This change correctly implements this pattern by setting the package version as an environment variable and referencing it in the AWS S3 command.

.github/workflows/cleanup.yml (1)

30-33: Proper security practice implemented

Excellent change to use environment variables instead of direct interpolation in shell commands. This prevents command injection vulnerabilities by ensuring the PR number is properly passed to the script.

.github/workflows/pr-checks.yml (1)

97-100: Good security improvement for API call

Using environment variables for the PR number and merge token in the curl command is a significant security improvement. This prevents potential command injection attacks that could occur with direct variable interpolation in shell commands.

publish-docs.js (1)

385-388: Good use of environment variables for commit message

Using an environment variable for the commit message is a solid security improvement that prevents command injection vulnerabilities. The implementation correctly passes the environment variable to the shell process.

.github/workflows/create-backport-branch.yml (4)

63-74: Approve environment variable propagation
Binding the step outputs (new_major, new_minor, last_major, last_minor) to environment variables improves readability and security. The comparison logic is unchanged and correctly uses numeric tests.

---

87-96: Approve branch naming via env vars
Using env to inject BUMP_TYPE, LAST_MAJOR, and LAST_MINOR keeps the script clean. The conditional logic for setting branch_name is clear and concise.

---

108-114: Approve optional git tag input handling
Mapping the optional last_release_git_tag input into LAST_RELEASE_GIT_TAG_INPUT and falling back to v{version} is robust. Environment variable usage is consistent throughout.

---

130-140: Approve tag-based branch creation steps
Fetching the tag, checking it out, branching, and pushing with BRANCH_NAME from env correctly leverages the environment variables and avoids inlining ${{ }}.

[adrianschmidt]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 5

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 630d258 and c234c78.

📒 Files selected for processing (6)

• .github/actions/upload-frontend-build-output-to-s3/action.yml (1 hunks)
• .github/workflows/cleanup.yml (1 hunks)
• .github/workflows/create-backport-branch.yml (3 hunks)
• .github/workflows/pr-checks.yml (1 hunks)
• .github/workflows/publish-docs.yml (1 hunks)
• publish-docs.js (1 hunks)

🔇 Additional comments (6)

.github/workflows/create-backport-branch.yml (6)

41-47: Correctly source and quote last release version extraction
The Extract Last Release Major and Minor Versions step now uses an env declaration for LAST_RELEASE_VERSION and properly quotes $GITHUB_OUTPUT when exporting last_major and last_minor, preventing word-splitting or injection.

---

53-59: Correctly source and quote new release version extraction
The Extract New Release Major and Minor Versions step cleanly pulls NEW_RELEASE_VERSION via env and safely exports new_major/new_minor with quoted redirections to $GITHUB_OUTPUT.

---

65-85: Use environment variables for bump type determination
The Determine Bump Type step now sources NEW_MAJOR, NEW_MINOR, LAST_MAJOR, and LAST_MINOR through env, uses proper integer comparisons (-gt, -eq), and quotes $GITHUB_OUTPUT when setting bump_type.

---

89-107: Use environment variables for branch name computation
The Determine Branch Name step consistently pulls in BUMP_TYPE, LAST_MAJOR, and LAST_MINOR via env and safely writes branch_name to $GITHUB_OUTPUT with proper quoting.

---

111-121: Use environment variables for setting the last release git tag
The Set Last Release Git Tag step cleanly differentiates between an explicit input and a default fallback by using LAST_RELEASE_GIT_TAG_INPUT / LAST_RELEASE_VERSION_INPUT and quotes the output redirection correctly.

---

132-140: Use environment variables for branch creation commands
The Create Release Branch step properly fetches, checks out, and pushes using LAST_RELEASE_GIT_TAG and BRANCH_NAME from env, and quotes these variables in the Git commands to guard against injection or splitting.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

.github/workflows/pr-checks.yml (1)

97-107: Multiline Automerge step for readability
The Automerge curl command has been refactored into a multiline block with PR_NUMBER and MERGE_TOKEN injected as environment variables, enhancing clarity and reducing quoting issues. This matches the previously suggested improvement.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c234c78 and d4084fd.

📒 Files selected for processing (6)

• .github/actions/upload-frontend-build-output-to-s3/action.yml (1 hunks)
• .github/workflows/cleanup.yml (1 hunks)
• .github/workflows/create-backport-branch.yml (3 hunks)
• .github/workflows/pr-checks.yml (1 hunks)
• .github/workflows/publish-docs.yml (1 hunks)
• publish-docs.js (1 hunks)

🔇 Additional comments (8)

.github/workflows/create-backport-branch.yml (4)

65-85: Bump type determination is secure and clear
Inputs from previous steps are injected via env, and bump_type is determined purely in shell with all outputs quoted. This eliminates inline interpolation and mitigates command injection risks.

---

89-107: Branch naming logic with environment variables
The BUMP_TYPE, LAST_MAJOR, and LAST_MINOR values are now sourced from env, and the generated branch_name is echoed safely. This decouples logic from GitHub expressions and reduces injection surface.

---

110-122: Robust git tag fallback via environment variables
By injecting LAST_RELEASE_GIT_TAG_INPUT and LAST_RELEASE_VERSION_INPUT, you ensure a safe fallback to v{version} when no tag is provided. The conditional check and subsequent echo to "$GITHUB_OUTPUT" are properly quoted.

---

132-140: Safe branch creation steps
The LAST_RELEASE_GIT_TAG and BRANCH_NAME from prior steps are injected via env and used with proper quoting in git fetch, git checkout, and git push, preventing any command injection and handling branch names safely.

.github/workflows/cleanup.yml (1)

30-33: Safe removal of PR docs via environment variables
The pull request number is now passed as PR_NUMBER in env, and the --remove flag value is quoted ("PR-$PR_NUMBER") to prevent word splitting or globbing. This aligns with secure shell command practices.

.github/actions/upload-frontend-build-output-to-s3/action.yml (1)

26-32: Secure upload to S3 with quoted arguments
The PACKAGE_VERSION input is injected via env, and both the tar extraction ("$FILENAME") and the aws s3 cp destination path ("s3://limecloud-static-files/packages/$PKG_NAME/$PACKAGE_VERSION") are properly quoted. This guards against special characters in file names and package versions.

.github/workflows/publish-docs.yml (1)

45-53: Conditional publish with safe flag injection
The version and forcePush inputs are now exposed as DOCS_VERSION and FORCE_PUSH variables. The script conditionally includes the --forcePush flag only when needed, avoiding empty arguments, and all values are properly quoted.

publish-docs.js (1)

385-393: Excellent security improvement that prevents command injection!

The code now properly passes the commit message as an environment variable instead of directly interpolating it into the shell command. This change effectively prevents command injection vulnerabilities. Additionally, the error handling has been improved to gracefully handle no-op commits by checking for "nothing to commit" and "no changes added to commit" messages.

[adrianschmidt]

This workflow is not in active use. It can be run manually, but would need some updating to be more user friendly.

Successful test run here: https://github.com/Lundalogik/lime-elements/actions/runs/15205209129/job/42766624340

[anderssonjohan]

LGTM!

[adrianschmidt]

Successful run here: https://github.com/Lundalogik/lime-elements/actions/runs/15205375226/job/42767152936#step:9:1

Uploaded result here: https://cdn.lime-crm.com/packages/@limetech/lime-elements/38.13.2-dev.1/dist/lime-elements/lime-elements.esm.js

[adrianschmidt]

This workflow has obviously been run for this PR 😄

[adrianschmidt]

This workflow has also been run for this PR.

[adrianschmidt]

This script is called by the above workflow, so it has been run for this PR.

Result available here (until it's been cleaned up by cleanup.yml of course): https://lundalogik.github.io/lime-elements/versions/PR-3564/#/

[lime-opensource]

🎉 This PR is included in version 38.13.3 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀