Skip to content

ci: improve docker_release workflow #297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
FletcherMan merged 1 commit into from
Mar 13, 2026
Merged

ci: improve docker_release workflow #297

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 17 additions & 17 deletions .github/workflows/docker_release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,33 +9,33 @@ env:
IMAGE_NAME: go-ethereum

jobs:
# Push image to GitHub Packages.
push:
runs-on: ubuntu-latest
if: github.event_name == 'push'

steps:
- uses: actions/checkout@v4

- name: Build the Docker image
run: docker build . --file Dockerfile -t "${IMAGE_NAME}"

- name: Log into registry
run: echo "${{ secrets.PACKAGE_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

- name: Build the Docker image
run: |
docker build . --file Dockerfile \
--build-arg COMMIT="${{ github.sha }}" \
--build-arg VERSION="${{ github.ref_name }}" \
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify direct interpolation exists in the workflow.
rg -nP '\$\{\{\s*github\.ref_name\s*\}\}' .github/workflows/docker_release.yml

# Demonstrate bash expansion risk with double-quoted payload.
python - <<'PY'
import subprocess
payload = 'morph-v$(printf injected)'
cmd = f'echo "{payload}"'
out = subprocess.check_output(["bash", "-lc", cmd], text=True).strip()
print("command:", cmd)
print("output :", out)
print("expanded_command_substitution:", out != payload)
PY

Repository: morph-l2/go-ethereum

Length of output: 422

Avoid direct ${{ github.ref_name }} interpolation inside shell scripts.

Using ${{ github.ref_name }} directly in run contexts allows shell expansion from crafted tag names (e.g., $()), enabling command injection. Pass it via step env instead and expand as $REF_NAME in shell.

🔧 Proposed fix 
       - name: Build the Docker image
+        env:
+          REF_NAME: ${{ github.ref_name }}
         run: |
           docker build . --file Dockerfile \
             --build-arg COMMIT="${{ github.sha }}" \
-            --build-arg VERSION="${{ github.ref_name }}" \
+            --build-arg VERSION="$REF_NAME" \
             -t "${IMAGE_NAME}"
@@
       - name: Push image
+        env:
+          REF_NAME: ${{ github.ref_name }}
         run: |
           IMAGE_ID="ghcr.io/${{ github.repository }}"
@@
-          VERSION=$(echo "${{ github.ref_name }}" | sed -e 's/^morph-v//')
+          VERSION="${REF_NAME#morph-v}"
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker_release.yml at line 25, The workflow currently
injects github.ref_name directly into the run shell line (--build-arg
VERSION="${{ github.ref_name }}"), which risks shell expansion; instead add an
environment variable (e.g., REF_NAME) in the step's env and reference that
inside the run/sh command (use "$REF_NAME" when passing --build-arg VERSION) so
the value is provided by GitHub Actions rather than being expanded by the shell;
update the step's env to set REF_NAME: ${{ github.ref_name }} and replace
occurrences of ${{ github.ref_name }} in the run with "$REF_NAME".

-t "${IMAGE_NAME}"

- name: Push image
run: |
IMAGE_ID=ghcr.io/${{ github.repository }}
IMAGE_ID="ghcr.io/${{ github.repository }}"

# Change all uppercase to lowercase
IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
# Strip git ref prefix from version
VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
IMAGE_ID=$(echo "$IMAGE_ID" | tr '[A-Z]' '[a-z]')
# Strip "morph-v" prefix from tag name
[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^morph-v//')
echo IMAGE_ID=$IMAGE_ID
echo VERSION=$VERSION
docker tag $IMAGE_NAME $IMAGE_ID:$VERSION
docker tag $IMAGE_NAME $IMAGE_ID:latest
docker push $IMAGE_ID:$VERSION
docker push $IMAGE_ID:latest
VERSION=$(echo "${{ github.ref_name }}" | sed -e 's/^morph-v//')
echo IMAGE_ID="$IMAGE_ID"
echo VERSION="$VERSION"
docker tag "$IMAGE_NAME" "$IMAGE_ID:$VERSION"
docker tag "$IMAGE_NAME" "$IMAGE_ID:latest"
docker push "$IMAGE_ID:$VERSION"
docker push "$IMAGE_ID:latest"
Loading