Skip to content

Comments

Release workflow security logic#231

Closed
cursor[bot] wants to merge 3 commits intomainfrom
cursor/release-workflow-security-logic-7d18
Closed

Release workflow security logic#231
cursor[bot] wants to merge 3 commits intomainfrom
cursor/release-workflow-security-logic-7d18

Conversation

@cursor
Copy link

@cursor cursor bot commented Feb 20, 2026

Bare minimum self-checks

What do you think of a person who only does the bare minimum?

  • I've updated this PR with the latest code from main
  • I've done a cursory QA pass of my code locally
  • I've ensured all automated status check and tests pass
  • I've connected this PR to an issue

Pieces of flare

  • I've written a unit or functional test for my code
  • I've updated relevant documentation it my code changes it
  • I've updated this repo's README if my code changes it
  • I've updated this repo's CHANGELOG with my change unless its a trivial change (like updating a typo in the docs)

Finally

If you have any issues or need help please join the #contributors channel in the Lando slack and someone will gladly help you out!

You can also check out the coder guide.

This PR addresses two issues in the release.yml GitHub Actions workflow:

  1. Script injection via tag_name in shell command: Mitigated a high-severity security vulnerability by passing github.event.release.tag_name via an environment variable to prevent shell injection when running npm dist-tag add.
  2. Editing older release regresses npm latest tag: Fixed a medium-severity logic bug by modifying the promote job's condition to only trigger if a release's prerelease status explicitly changes from true to false, preventing the latest npm tag from regressing when older releases are merely edited.

AaronFeledy and others added 3 commits February 19, 2026 19:55
@AaronFeledy
feat: promote npm edge tag to latest when release is edited
37fa101 
Adds an 'edited' trigger to the release workflow with a lightweight 'promote' job that runs npm dist-tag to move 'latest' to the current version. Only fires when a prerelease is changed to a full release (not drafts). The existing publish pipeline remains gated to 'published' events only.
@AaronFeledy
fix: use release tag_name for version in promote job
9fe8933 
package.json on main may not reflect the released version since prepare-release-action only runs in the deploy job. Using github.event.release.tag_name is more reliable.
@cursoragent
fix: prevent script injection and npm tag regression in release workflow
a8e3c05 
- Move tag_name to env variable to prevent shell injection vulnerability
- Add prerelease.from check to prevent npm latest tag regression on edits
@cursor
Copy link
Author

cursor bot commented Feb 20, 2026

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
Learn more about Cursor Agents

@cursor cursor bot mentioned this pull request Feb 20, 2026
Merged
@cursor cursor bot closed this Feb 20, 2026
Base automatically changed from feature/promote-edge-on-edit to main February 20, 2026 03:16
@cursor
Copy link
Author

cursor bot commented Feb 20, 2026

Automatically closed this PR because it was created by Bugbot autofix for #229, and that PR was closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AaronFeledy @cursoragent