Skip to content

chore(ci-cd): refactor the branch enforcement workflow #163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
orama254 merged 1 commit into from
Mar 13, 2026
Merged

chore(ci-cd): refactor the branch enforcement workflow #163

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 20 additions & 6 deletions .github/workflows/branch-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,28 @@ name: Check Source Branch
on:
pull_request:
branches:
- main
- prod
types:
- opened
- synchronize
- reopened
- edited
jobs:
check-branch:
check-source-branch:
name: check-source-branch
runs-on: ubuntu-latest
steps:
- name: Verify source branch is 'develop'
- name: Check source branch
run: |
if [[ "${{ github.head_ref }}" != "develop" ]]; then
echo "Error: Pull request must come from the 'develop' branch"
HEAD_BRANCH="${{ github.head_ref }}"
BASE_BRANCH="${{ github.base_ref }}"
Comment on lines +18 to +19
Copy link
Contributor

@greptile-apps greptile-apps bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Script injection vulnerability via direct context interpolation

${{ github.head_ref }} and ${{ github.base_ref }} are GitHub Actions template expressions that are resolved before the shell script executes. This means a branch name like develop"; malicious_command; echo " would be injected verbatim into the shell, potentially allowing a contributor (with the ability to open a PR from a fork) to execute arbitrary commands in the runner.

GitHub Security Lab documents this as a known injection vector, and github.head_ref is explicitly listed as an untrusted input.

The fix is to assign the context values to environment variables and reference those in the script instead:

      - name: Check source branch
        env:
          HEAD_BRANCH: ${{ github.head_ref }}
          BASE_BRANCH: ${{ github.base_ref }}
        run: |
          echo "PR: ${HEAD_BRANCH} → ${BASE_BRANCH}"

          if [ "$BASE_BRANCH" = "prod" ] && [ "$HEAD_BRANCH" != "develop" ]; then
            echo "::error::Merging to 'prod' is only allowed from the 'develop' branch."
            echo "::error::Source branch '${HEAD_BRANCH}' is not permitted."
            exit 1
          fi

          echo "✅ Source branch '${HEAD_BRANCH}' is allowed to merge into '${BASE_BRANCH}'."

This ensures the branch name is treated as data, not as executable shell syntax.


echo "PR: ${HEAD_BRANCH} → ${BASE_BRANCH}"

if [ "$BASE_BRANCH" = "prod" ] && [ "$HEAD_BRANCH" != "develop" ]; then
Copy link
Contributor

@greptile-apps greptile-apps bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Redundant BASE_BRANCH condition

Since the workflow trigger already filters to only run on PRs targeting prod (via branches: [prod] in the on.pull_request config), $BASE_BRANCH will always equal "prod" at runtime. The [ "$BASE_BRANCH" = "prod" ] guard is therefore a no-op in practice.

While this is harmless and could be seen as defensive coding, removing it would simplify the logic and make it easier for future maintainers to understand:

Suggested change
if [ "$BASE_BRANCH" = "prod" ] && [ "$HEAD_BRANCH" != "develop" ]; then
if [ "$HEAD_BRANCH" != "develop" ]; then

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

echo "::error::Merging to 'prod' is only allowed from the 'develop' branch."
echo "::error::Source branch '${HEAD_BRANCH}' is not permitted."
exit 1
fi
fi

echo "✅ Source branch '${HEAD_BRANCH}' is allowed to merge into '${BASE_BRANCH}'."
Copy link
Contributor

@greptile-apps greptile-apps bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing newline at end of file

The file is missing a trailing newline (indicated by \ No newline at end of file in the diff). POSIX standard and most linters expect text files to end with a newline character. This was also missing in the previous version and should be addressed.

Suggested change
echo "✅ Source branch '${HEAD_BRANCH}' is allowed to merge into '${BASE_BRANCH}'."
echo "✅ Source branch '${HEAD_BRANCH}' is allowed to merge into '${BASE_BRANCH}'."

(Add a newline after this final line.)

Loading