fix(workflows): escape literal ${{ }} in run-block comments#11
Merged
Conversation
GitHub Actions evaluates `\${{ }}` expressions inside `run:` heredoc
content unconditionally — even when the bracket pair appears inside a
shell `#` comment, the expression parser still tries to resolve it.
An empty `\${{ }}` substitution fails with "unexpected end of input"
at workflow-load time, surfacing as `referenced_workflows: []` with 0
jobs ever started — the symptom seen on lvis-plugin-local-indexer
v0.1.23 / v0.1.24 / v0.1.25 publish attempts.
Two comment lines documented the security rationale by literally
showing the `\${{ }}` syntax (saying "no `\${{ }}` shell injection
sink"). Replaced with `<expr>` placeholder which conveys the same
meaning without triggering the expression parser.
Locations:
- line 176 (in resolver step's SECURITY comment block)
- line 314 (in zip step's run-block comment)
Detected by `actionlint` — the v0.1.25 publish run on
lvis-plugin-local-indexer surfaced this issue cleanly.
This is a v1 floating-tag-eligible fix — the public API (inputs,
secrets, runtime behavior) is unchanged. The tag should be
force-updated to point at this commit after merge.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
요약
PR #10 의 `marketplace-publish.yml` 이 lvis-plugin-local-indexer 의 v0.1.23 / v0.1.24 / v0.1.25 publish 시도에서 모두 workflow-load 단계 fail. 원인: `run:` heredoc 안의 shell `#` 코멘트에 literal `${{ }}` 가 들어있어서 GitHub Actions expression parser 가 빈 expression 으로 해석 시도 → "unexpected end of input" 에러.
`actionlint` 로 발견:
```
yml:311:189: unexpected end of input while parsing variable access...
```
수정
두 코멘트 라인의 `${{ }}` placeholder → `` 로 교체. 의미는 그대로 보존.
영향
Public API (inputs / secrets / 런타임 동작) 무변. v1 floating-tag eligible — 머지 후 v1 태그를 이 커밋으로 force-update 해야 lvis-plugin-local-indexer 재발행 가능.
Test plan