Skip to content

ci(helm): roll prereleases on main pushes + manual trigger #3461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nicktrn merged 4 commits into from
Apr 28, 2026
+59 −7
Merged

ci(helm): roll prereleases on main pushes + manual trigger #3461

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
420aa12
ci(helm): roll prereleases on main pushes + manual trigger
nicktrn Apr 28, 2026
c44257d
chore(helm): add trailing newline to README to exercise prerelease wo…
nicktrn Apr 28, 2026
5a9ba0e
ci(helm): harden manual dispatch + skip PR checks for helm-only changes
nicktrn Apr 28, 2026
bcf28dc
ci: drop ignore for old helm-pr-prerelease.yml (deleted in this PR)
nicktrn Apr 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 57 additions & 6 deletions .github/workflows/helm-pr-prerelease.yml → .github/workflows/helm-prerelease.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,25 @@
name: 🧭 Helm Chart PR Prerelease
name: 🧭 Helm Chart Prerelease

on:
pull_request:
types: [opened, synchronize, reopened]
paths:
- "hosting/k8s/helm/**"
push:
branches:
- main
paths:
- "hosting/k8s/helm/**"
workflow_dispatch:
inputs:
app_version:
description: "Override appVersion (e.g. 'main', 'v4.4.4'). Leave empty to keep Chart.yaml value."
required: false
type: string
default: ""

concurrency:
group: helm-prerelease-${{ github.event.pull_request.number }}
group: helm-prerelease-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true

env:
Expand Down Expand Up @@ -54,7 +66,10 @@ jobs:

prerelease:
needs: lint-and-test
if: github.event.pull_request.head.repo.full_name == github.repository
if: |
(github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
github.event_name == 'push' ||
github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
permissions:
contents: read
Expand Down Expand Up @@ -88,16 +103,35 @@ jobs:
id: version
run: |
BASE_VERSION=$(grep '^version:' ./hosting/k8s/helm/Chart.yaml | awk '{print $2}')
PR_NUMBER=${{ github.event.pull_request.number }}
SHORT_SHA=$(echo "${{ github.event.pull_request.head.sha }}" | cut -c1-7)
PRERELEASE_VERSION="${BASE_VERSION}-pr${PR_NUMBER}.${SHORT_SHA}"
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
PR_NUMBER=${{ github.event.pull_request.number }}
SHORT_SHA=$(echo "${{ github.event.pull_request.head.sha }}" | cut -c1-7)
PRERELEASE_VERSION="${BASE_VERSION}-pr${PR_NUMBER}.${SHORT_SHA}"
elif [[ "${{ github.event_name }}" == "push" ]]; then
SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
PRERELEASE_VERSION="${BASE_VERSION}-main.${SHORT_SHA}"
else
SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
REF_SLUG=$(echo "${{ github.ref_name }}" | tr '/' '-' | tr -cd 'a-zA-Z0-9-')
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Script injection via direct interpolation of github.ref_name in shell command

On line 115, ${{ github.ref_name }} is directly interpolated into a run: shell script. GitHub Actions expands ${{ }} expressions before the shell executes, so if the ref name contains shell metacharacters (e.g., backticks, $(), etc.), they will be interpreted by the shell. For example, a branch named test`malicious-command` would execute malicious-command. While this requires write access to the repo (to both create the branch and trigger workflow_dispatch), it's a well-documented GitHub Actions script injection anti-pattern that could allow exfiltration of secrets available in the workflow (e.g., GITHUB_TOKEN with packages: write).

Recommended fix: use an environment variable

Pass github.ref_name via an environment variable so the shell receives it as data rather than code:

env:
  REF_NAME: ${{ github.ref_name }}
run: |
  REF_SLUG=$(echo "$REF_NAME" | tr '/' '-' | tr -cd 'a-zA-Z0-9-')
Prompt for agents 
In .github/workflows/helm-prerelease.yml, line 115, the expression ${{ github.ref_name }} is directly interpolated into a shell run: block, which is a script injection vulnerability. GitHub Actions expands the expression before shell execution, so shell metacharacters in branch names (backticks, $(), etc.) would be executed.

The fix is to pass github.ref_name through an environment variable instead of direct interpolation. Change the else block (lines 113-119) to pass REF_NAME as an env var on the step, and reference $REF_NAME in the shell script. Something like:

env:
  REF_NAME: ${{ github.ref_name }}
run: |
  SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
  REF_SLUG=$(echo "$REF_NAME" | tr '/' '-' | tr -cd 'a-zA-Z0-9-')
  ...

Note: github.sha is safe since it's always a hex string, but github.ref_name is user-influenced and needs the env var treatment.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

if [[ -z "$REF_SLUG" ]]; then
REF_SLUG="manual"
fi
PRERELEASE_VERSION="${BASE_VERSION}-${REF_SLUG}.${SHORT_SHA}"
fi
Comment thread
coderabbitai[bot] marked this conversation as resolved.
echo "version=$PRERELEASE_VERSION" >> $GITHUB_OUTPUT
echo "Prerelease version: $PRERELEASE_VERSION"

- name: Update Chart.yaml with prerelease version
run: |
sed -i "s/^version:.*/version: ${{ steps.version.outputs.version }}/" ./hosting/k8s/helm/Chart.yaml

- name: Override appVersion
if: github.event_name == 'workflow_dispatch' && inputs.app_version != ''
env:
APP_VERSION: ${{ inputs.app_version }}
run: |
yq -i '.appVersion = strenv(APP_VERSION)' ./hosting/k8s/helm/Chart.yaml

Comment thread
coderabbitai[bot] marked this conversation as resolved.
- name: Package Helm Chart
run: |
helm package ./hosting/k8s/helm/ --destination /tmp/
Expand All @@ -110,7 +144,23 @@ jobs:
# Push to GHCR OCI registry
helm push "$CHART_PACKAGE" "oci://${{ env.REGISTRY }}/${{ github.repository_owner }}/charts"

- name: Write run summary
run: |
{
echo "### 🧭 Helm Chart Prerelease Published"
echo ""
echo "**Version:** \`${{ steps.version.outputs.version }}\`"
echo ""
echo "**Install:**"
echo '```bash'
echo "helm upgrade --install trigger \\"
echo " oci://${{ env.REGISTRY }}/${{ github.repository_owner }}/charts/${{ env.CHART_NAME }} \\"
echo " --version \"${{ steps.version.outputs.version }}\""
echo '```'
} >> "$GITHUB_STEP_SUMMARY"

- name: Find existing comment
if: github.event_name == 'pull_request'
uses: peter-evans/find-comment@v3
id: find-comment
with:
Expand All @@ -119,6 +169,7 @@ jobs:
body-includes: "Helm Chart Prerelease Published"

- name: Create or update PR comment
if: github.event_name == 'pull_request'
uses: peter-evans/create-or-update-comment@v4
with:
comment-id: ${{ steps.find-comment.outputs.comment-id }}
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/pr_checks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ on:
- "docs/**"
- ".changeset/**"
- "hosting/**"
- ".github/workflows/helm-prerelease.yml"

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
Expand Down
2 changes: 1 addition & 1 deletion hosting/k8s/helm/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -736,4 +736,4 @@ helm upgrade --install trigger . \

- Documentation: https://trigger.dev/docs/self-hosting
- GitHub Issues: https://github.com/triggerdotdev/trigger.dev/issues
- Discord: https://discord.gg/untWVke9aH
- Discord: https://discord.gg/untWVke9aH
Loading