Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 71 additions & 9 deletions .github/workflows/draft-release.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Placeholder draft-release workflow
# Drafts new mailtrap-java release: bumps the version in pom.xml, regenerates the changelog
# from merged PRs, and opens a release PR against main.
#
name: Draft java Release
name: Draft Java Release
on:
workflow_dispatch:
inputs:
Expand All @@ -14,14 +15,75 @@ on:
- major
default: patch

concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false

permissions:
contents: write
pull-requests: write

jobs:
draft-release:
name: Draft java Release (placeholder)
name: Draft mailtrap-java Release
runs-on: ubuntu-latest
steps:
- name: Echo inputs
env:
BUMP_TYPE: ${{ inputs.bump_type }}
run: |
echo "Placeholder draft-release workflow"
echo "bump_type=$BUMP_TYPE"
- uses: actions/checkout@v4
with:
ref: main

- name: Set up JDK
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'

- name: Read current version
id: read
run: echo "version=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> "$GITHUB_OUTPUT"

- name: Compute next version
id: bump
uses: railsware/github-actions/compute-next-semver@master

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Fetch the latest commit SHA for each railsware action branch.
for action in compute-next-semver abort-if-tag-exists generate-release-notes prepend-changelog open-sdk-release-pr create-draft-github-release; do
  echo "=== $action ==="
  gh api repos/railsware/github-actions/commits --jq ".[].sha" 2>/dev/null | head -1
done

Repository: mailtrap/mailtrap-java

Length of output: 583


🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=".github/workflows/draft-release.yml"

echo "== relevant lines =="
nl -ba "$file" | sed -n '1,140p' | rg 'railsware/github-actions|uses:|`@master`|@'

echo
echo "== full action references =="
rg -n 'railsware/github-actions|uses:' "$file"

Repository: mailtrap/mailtrap-java

Length of output: 217


🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=".github/workflows/draft-release.yml"

echo "== railsware/github-actions references =="
grep -nE 'railsware/github-actions|uses:' "$file" || true

echo
echo "== surrounding context =="
sed -n '35,95p' "$file"

Repository: mailtrap/mailtrap-java

Length of output: 2825


Pin all railsware/github-actions steps to commit SHAs. The six release steps still use mutable @master refs, so a compromise of that repo could run arbitrary code here with write permissions.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/draft-release.yml at line 47, Replace every mutable
`@master` reference for railsware/github-actions steps in the release workflow,
including compute-next-semver and the other five release actions, with their
reviewed, immutable commit SHAs; preserve each action and its configuration
while ensuring all six uses are pinned consistently.

Source: Linters/SAST tools

with:
current: ${{ steps.read.outputs.version }}
bump-type: ${{ inputs.bump_type }}

- name: Abort if tag already exists
uses: railsware/github-actions/abort-if-tag-exists@master
with:
tag: ${{ steps.bump.outputs.tag }}

- name: Generate release notes
id: notes
uses: railsware/github-actions/generate-release-notes@master
with:
tag: ${{ steps.bump.outputs.tag }}

- name: Bump version in pom.xml
if: steps.notes.outputs.release_notes != ''
run: mvn versions:set -DnewVersion=${{ steps.bump.outputs.next }} -DgenerateBackupPoms=false
Comment on lines +63 to +65

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Prevent shell injection via environment variable on the Maven version bump.

steps.bump.outputs.next is interpolated directly into the run command. If the upstream compute-next-semver action (pinned to @master) ever produces unexpected output, shell metacharacters in that value would execute arbitrary commands. Pass the value through an environment variable instead.

🔒️ Proposed fix
       - name: Bump version in pom.xml
         if: steps.notes.outputs.release_notes != ''
+        env:
+          NEXT_VERSION: ${{ steps.bump.outputs.next }}
-        run: mvn versions:set -DnewVersion=${{ steps.bump.outputs.next }} -DgenerateBackupPoms=false
+        run: mvn versions:set -DnewVersion="$NEXT_VERSION" -DgenerateBackupPoms=false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Bump version in pom.xml
if: steps.notes.outputs.release_notes != ''
run: mvn versions:set -DnewVersion=${{ steps.bump.outputs.next }} -DgenerateBackupPoms=false
- name: Bump version in pom.xml
if: steps.notes.outputs.release_notes != ''
env:
NEXT_VERSION: ${{ steps.bump.outputs.next }}
run: mvn versions:set -DnewVersion="$NEXT_VERSION" -DgenerateBackupPoms=false
🧰 Tools
🪛 zizmor (1.26.1)

[info] 65-65: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/draft-release.yml around lines 63 - 65, Prevent shell
injection in the Maven version bump step by assigning steps.bump.outputs.next to
an environment variable and referencing that variable in the run command instead
of interpolating the output directly. Update the “Bump version in pom.xml” step
while preserving its existing condition and Maven options.

Source: Linters/SAST tools


- name: Prepend new section to CHANGELOG.md
if: steps.notes.outputs.release_notes != ''
uses: railsware/github-actions/prepend-changelog@master
with:
version: ${{ steps.bump.outputs.next }}
release-notes: ${{ steps.notes.outputs.release_notes }}
Comment on lines +67 to +72

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Handle missing CHANGELOG.md to fix the pipeline failure.

The pipeline failed with ENOENT: no such file or directory, open 'CHANGELOG.md' because the workflow checks out main (line 33) but CHANGELOG.md is new in this PR and hasn't been merged yet. The prepend-changelog action internally calls fs.readFileSync('CHANGELOG.md') and crashes when the file is absent. Add a guard step to create the file if it doesn't exist.

🐛 Proposed fix
       - name: Ensure CHANGELOG.md exists
+        if: steps.notes.outputs.release_notes != ''
+        run: |
+          if [ ! -f CHANGELOG.md ]; then
+            touch CHANGELOG.md
+          fi
+
       - name: Prepend new section to CHANGELOG.md
         if: steps.notes.outputs.release_notes != ''
         uses: railsware/github-actions/prepend-changelog@master
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Prepend new section to CHANGELOG.md
if: steps.notes.outputs.release_notes != ''
uses: railsware/github-actions/prepend-changelog@master
with:
version: ${{ steps.bump.outputs.next }}
release-notes: ${{ steps.notes.outputs.release_notes }}
- name: Ensure CHANGELOG.md exists
if: steps.notes.outputs.release_notes != ''
run: |
if [ ! -f CHANGELOG.md ]; then
touch CHANGELOG.md
fi
- name: Prepend new section to CHANGELOG.md
if: steps.notes.outputs.release_notes != ''
uses: railsware/github-actions/prepend-changelog@master
with:
version: ${{ steps.bump.outputs.next }}
release-notes: ${{ steps.notes.outputs.release_notes }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/draft-release.yml around lines 67 - 72, Add a workflow
step before “Prepend new section to CHANGELOG.md” that creates an empty
CHANGELOG.md only when the file is absent, using a shell existence check; keep
the existing prepend action and release-notes condition unchanged.

Source: Pipeline failures


- name: Commit, push, open PR
if: steps.notes.outputs.release_notes != ''
uses: railsware/github-actions/open-sdk-release-pr@master
with:
tag: ${{ steps.bump.outputs.tag }}
current: ${{ steps.read.outputs.version }}
next: ${{ steps.bump.outputs.next }}
bump-type: ${{ inputs.bump_type }}
release-notes: ${{ steps.notes.outputs.release_notes }}

- name: Create draft GitHub release
if: steps.notes.outputs.release_notes != ''
uses: railsware/github-actions/create-draft-github-release@master
with:
tag: ${{ steps.bump.outputs.tag }}
release-notes: ${{ steps.notes.outputs.release_notes }}
15 changes: 15 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
## [1.3.0] - 2026-05-14

See https://github.com/mailtrap/mailtrap-java/releases/tag/v1.3.0

## [1.2.0] - 2026-03-23

See https://github.com/mailtrap/mailtrap-java/releases/tag/v1.2.0

## [1.1.0] - 2025-10-24

See https://github.com/mailtrap/mailtrap-java/releases/tag/v1.1.0

## [1.0.0] - 2025-02-19

See https://github.com/mailtrap/mailtrap-java/releases/tag/v1.0.0
2 changes: 2 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,8 @@
<extensions>true</extensions>
<configuration>
<publishingServerId>central</publishingServerId>
<autoPublish>true</autoPublish>
<waitUntil>published</waitUntil>
</configuration>
</plugin>

Expand Down
Loading