diff --git a/.github/workflows/helm-publish.yml b/.github/workflows/helm-publish.yml index 510c64049..0588162c0 100644 --- a/.github/workflows/helm-publish.yml +++ b/.github/workflows/helm-publish.yml @@ -40,6 +40,12 @@ jobs: - name: Resolve chart and app versions id: version shell: bash + # Bind workflow inputs to env so the values arrive as shell variables + # instead of being interpolated verbatim by the `${{ }}` runner pass. + # zizmor flags the direct expansion as a template-injection risk. + env: + CHART_VERSION_INPUT: ${{ inputs.chart_version }} + APP_VERSION_INPUT: ${{ inputs.app_version }} run: | set -euo pipefail @@ -48,18 +54,24 @@ jobs: echo "${raw#v}" } - if [ -n "${{ inputs.chart_version }}" ]; then - CHART_VERSION="$(normalize_version "${{ inputs.chart_version }}")" + if [ -n "$CHART_VERSION_INPUT" ]; then + CHART_VERSION="$(normalize_version "$CHART_VERSION_INPUT")" elif [[ "${GITHUB_REF_TYPE}" == "tag" && "${GITHUB_REF_NAME}" == v* ]]; then CHART_VERSION="$(normalize_version "${GITHUB_REF_NAME}")" else CHART_VERSION="0.0.0-nightly.$(date -u +'%Y%m%d.%H%M%S')" fi - if [ -n "${{ inputs.app_version }}" ]; then - APP_VERSION="${{ inputs.app_version }}" + # Normalize APP_VERSION the same way CHART_VERSION is — appVersion + # must match the OCI image tag in GHCR, which is published without a + # leading `v`. Without this, a release on tag `v0.7.1-rc.1` writes + # `appVersion: "v0.7.1-rc.1"` into Chart.yaml / index.yaml, and Helm + # then fails to pull `ghcr.io/we-promise/sure:v0.7.1-rc.1` (the real + # tag is `0.7.1-rc.1`). See #2050. + if [ -n "$APP_VERSION_INPUT" ]; then + APP_VERSION="$(normalize_version "$APP_VERSION_INPUT")" elif [[ "${GITHUB_REF_TYPE}" == "tag" && "${GITHUB_REF_NAME}" == v* ]]; then - APP_VERSION="${GITHUB_REF_NAME}" + APP_VERSION="$(normalize_version "${GITHUB_REF_NAME}")" else APP_VERSION="${CHART_VERSION}" fi