Skip to content

Stop interpolating release analyzer workflow inputs into shell commands#5272

Open
petrmarinec wants to merge 2 commits intogoogle:mainfrom
petrmarinec:fix-release-workflow-input-handling
Open

Stop interpolating release analyzer workflow inputs into shell commands#5272
petrmarinec wants to merge 2 commits intogoogle:mainfrom
petrmarinec:fix-release-workflow-input-handling

Conversation

@petrmarinec
Copy link
Copy Markdown

@petrmarinec petrmarinec commented Apr 10, 2026

Link to Issue or Description of Change

1. Link to an existing issue (if applicable):

2. Or, if no issue exists, describe the change:

Problem:
The release analyzer workflow interpolated workflow_dispatch string inputs directly into the shell command used in run:. That let shell metacharacters in start_tag or end_tag be parsed by bash before Python started.

Solution:
Move the dispatch inputs into environment variables and build the Python argument list in bash using an array before invoking the analyzer. This keeps the input values as data instead of shell syntax.

Testing Plan

Unit Tests:

  • I have added or updated unit tests for my change.
  • All unit tests pass locally.

There is no repo unit-test harness for this workflow YAML.

Manual Validation:

  • Parsed the updated workflow YAML successfully.
  • In Linux Docker, the pre-patch rendered command python -m adk_release_analyzer.main --start-tag v1.0.0; touch /tmp/gh-before-proof # created the proof file.
  • In Linux Docker, the patched bash-array form received the same malicious value as a single argv element:
    • ["--start-tag", "v1.0.0; touch /tmp/gh-after-proof #"]
  • The patched form did not create the proof file.

Checklist

  • I have read the CONTRIBUTING.md document.
  • I have performed a self-review of my own code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have added tests that prove my fix is effective or that my feature works.
  • New and existing unit tests pass locally with my changes.
  • I have manually tested my changes end-to-end.
  • Any dependent changes have been merged and published in downstream modules.

Additional context

This is a small workflow hardening change intended to remove shell interpretation of workflow_dispatch string inputs while preserving the existing analyzer behavior.

@adk-bot adk-bot added the tools [Component] This issue is related to tools label Apr 10, 2026
@rohityan rohityan self-assigned this Apr 13, 2026
@rohityan rohityan added the needs review [Status] The PR/issue is awaiting review from the maintainer label Apr 13, 2026
@rohityan
Copy link
Copy Markdown
Collaborator

rohityan commented Apr 13, 2026

Hi @petrmarinec , Thank you for your contribution! We appreciate you taking the time to submit this pull request. Your PR has been received by the team and is currently under review. We will provide feedback as soon as we have an update to share.

@rohityan
Copy link
Copy Markdown
Collaborator

rohityan commented Apr 13, 2026

Hi @DeanChensj , can you please review this.

@rohityan rohityan added workflow [Component] This issue is related to ADKworkflow and removed tools [Component] This issue is related to tools labels Apr 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@rohityan rohityan

Labels

needs review [Status] The PR/issue is awaiting review from the maintainer workflow [Component] This issue is related to ADKworkflow

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@petrmarinec @rohityan @adk-bot