Skip to content

ci: validate release tag input and skip Codecov on fork PRs#869

Merged
laurentiu021 merged 3 commits into
mainfrom
ci/harden-release-input-and-codecov
Jun 12, 2026
Merged

ci: validate release tag input and skip Codecov on fork PRs#869
laurentiu021 merged 3 commits into
mainfrom
ci/harden-release-input-and-codecov

Conversation

@laurentiu021

@laurentiu021 laurentiu021 commented Jun 12, 2026

Copy link
Copy Markdown
Owner

Summary

Two CI/CD hardening changes (no application code; ci: → no release).

Changes

  • ci.yml — guard the two Codecov steps to skip on fork PRs. Forked pull requests
    have no access to repository secrets, so CODECOV_TOKEN is empty there and the upload
    would fail noisily for no benefit. Same-repo pushes/PRs upload normally. (The UI-tests
    job already had this fork guard; this brings the coverage steps in line.)
  • release.yml — validate the workflow_dispatch tag input before use:
    • Pass the tag through the environment (INPUT_TAG/EVENT_NAME/REF_NAME) instead of
      interpolating ${{ inputs.tag }} directly into the pwsh script body — avoids any
      script injection from a crafted manual-dispatch value.
    • Reject anything that isn't a vMAJOR.MINOR.PATCH tag with a clear error before it
      reaches checkout / version extraction.

Verification

  • YAML is well-formed (no tabs; structure unchanged besides the additions).
  • No application code touched; behavior of normal tag-push releases is unchanged.

ci: → no release.

@laurentiu021 laurentiu021 merged commit 29ba265 into main Jun 12, 2026
4 checks passed
@laurentiu021 laurentiu021 deleted the ci/harden-release-input-and-codecov branch June 12, 2026 12:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@laurentiu021