Conversation
michael-chang-appier
commented
Apr 14, 2026
michael-chang-appier
commented
- Refactor release workflow shell steps to use environment variables for GitHub context values.
- Replace reusable workflow secrets inheritance with explicit secret mapping.
- Pin checkout action to an immutable commit SHA.
- Add version comments beside pinned SHAs for traceability.
michael-chang-appier
force-pushed
the
github-action-enhancement
branch
from
015d335 to
2a3720f
Compare
There was a problem hiding this comment.
Pull request overview
Refines GitHub Actions release workflows by improving security posture (least-privilege permissions, pinned action SHAs), making shell steps more maintainable via env vars, and tightening reusable-workflow secret passing.
Changes:
- Refactored shell steps to use environment variables for GitHub context values.
- Pinned
actions/checkoutandslackapi/slack-github-actionto immutable commit SHAs (with version comments). - Replaced
secrets: inheritwith explicit secret mapping for the Slack reusable workflow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/workflows/release_framework.yml |
Adds minimal permissions, pins checkout, refactors context usage, and explicitly maps Slack secret to reusable workflow. |
.github/workflows/Send_message_to_slack.yml |
Declares required secret for workflow_call, refactors message/payload construction to use env vars + jq, pins Slack action SHA. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| echo WORKFLOW="$WORKFLOW_NAME" >> $GITHUB_OUTPUT | ||
|
|
||
| echo PR="$PR_TITLE" >> $GITHUB_OUTPUT |
There was a problem hiding this comment.
PR_TITLE comes from the PR metadata and can contain newlines or other characters that can break the $GITHUB_OUTPUT file format (output injection), potentially corrupting subsequent outputs and the Slack payload. Write this output using the multiline <<EOF syntax (or otherwise escape/encode the value) rather than echo PR="$PR_TITLE" >> $GITHUB_OUTPUT.
| echo PR="$PR_TITLE" >> $GITHUB_OUTPUT | |
| { | |
| echo "PR<<EOF" | |
| echo "$PR_TITLE" | |
| echo "EOF" | |
| } >> "$GITHUB_OUTPUT" |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
|
|
||
| - name: Setup gem | ||
| uses: appier/appier-ios-framework/.github/actions/install_gem_dependencies@master |
There was a problem hiding this comment.
This workflow pins actions/checkout to a commit SHA, but appier/appier-ios-framework/.github/actions/install_gem_dependencies@master is still a mutable ref. For supply-chain safety and reproducibility, consider pinning this action to an immutable commit SHA (and optionally add a version comment as done for other pinned actions).
| uses: appier/appier-ios-framework/.github/actions/install_gem_dependencies@master | |
| uses: ./.github/actions/install_gem_dependencies |
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
|
|
||
| - name: Setup gem | ||
| uses: appier/appier-ios-framework/.github/actions/install_gem_dependencies@master |
There was a problem hiding this comment.
install_gem_dependencies is referenced via @master, which is a mutable ref. To keep workflows reproducible and reduce supply-chain risk (especially now that other actions are pinned), consider pinning this to a commit SHA.
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
|
|
||
| - name: Setup gem | ||
| uses: appier/appier-ios-framework/.github/actions/install_gem_dependencies@master |
There was a problem hiding this comment.
This step still uses install_gem_dependencies@master (mutable ref). If the goal is fully deterministic workflows, pin this action to a commit SHA here as well.
