More PR Comments

2026-03-09 19:45:29 -04:00 · 2026-03-03 14:40:28 -06:00 · 2026-03-03 14:40:28 -06:00 · 35abda313c
commit 35abda313c
parent c2b9aa3c49
3 changed files with 29 additions and 30 deletions
--- a/.github/workflows/canary-workflow.yml
+++ b/.github/workflows/canary-workflow.yml
@ -15,11 +15,6 @@ jobs:
        with:
          fetch-depth: 1

-      - uses: actions/upload-artifact@v4
-        with:
-          name: csproj
-          path: Kavita.Common/Kavita.Common.csproj
-
      - name: Setup .NET Core
        uses: actions/setup-dotnet@v4
        with:
--- a/.github/workflows/pr-check.yml
+++ b/.github/workflows/pr-check.yml
@ -1,27 +1,23 @@
 name: Validate PR Body

 on:
-    pull_request:
-        branches: [ main, develop, canary ]
-        types: [opened, synchronize, edited]
+  pull_request:
+    branches: [ main, develop, canary ]
+    types: [opened, synchronize, edited]

 jobs:
-    check_pr:
-        runs-on: ubuntu-24.04
-        steps:
-            - name: Check PR Body
-              uses: actions/github-script@v7
-              with:
-                  github-token: ${{ secrets.GITHUB_TOKEN }}
-                  script: |
-                    const { data: pr } = await github.rest.pulls.get({
-                      owner: context.repo.owner,
-                      repo: context.repo.repo,
-                      pull_number: context.payload.pull_request.number
-                    });
-                    const body = pr.body || '';
-                    if (/["`]/.test(body)) {
-                      core.setFailed(
-                        'PR body must not contain double-quotes or backticks.'
-                      );
-                    }
+  check_pr:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check PR Body
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const checkBody = (bodyText) => {
+              if (/["`]/.test(bodyText)) {
+                core.setFailed('PR body must not contain double-quotes or backticks.');
+              }
+            };
+
+            const body = context.payload.pull_request?.body || '';
+            checkBody(body);
--- a/.github/workflows/release-workflow.yml
+++ b/.github/workflows/release-workflow.yml
@ -25,13 +25,21 @@ jobs:
        id: get-notes
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # 1. Map the input to an environment variable safely
+          PR_NUMBER_INPUT: ${{ inputs.pr_number }}
        run: |
          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
            # Securely extract the PR body without shell interpolation
            RAW_BODY=$(jq -r '.pull_request.body // empty' "$GITHUB_EVENT_PATH")
-          elif [[ -n "${{ inputs.pr_number }}" ]]; then
-            # Fetch via GitHub CLI if manually triggered
-            RAW_BODY=$(gh pr view ${{ inputs.pr_number }} --repo ${{ github.repository }} --json body --jq '.body')
+          elif [[ -n "$PR_NUMBER_INPUT" ]]; then
+            # 2. Validate that the input is strictly numeric
+            if ! [[ "$PR_NUMBER_INPUT" =~ ^[0-9]+$ ]]; then
+              echo "Error: pr_number input must be purely numeric."
+              exit 1
+            fi
+
+            # 3. Fetch via GitHub CLI using the validated and quoted variable
+            RAW_BODY=$(gh pr view "$PR_NUMBER_INPUT" --repo "${{ github.repository }}" --json body --jq '.body')
          else
            RAW_BODY="Read full changelog: https://github.com/Kareadita/Kavita/releases/latest"
          fi