mirror of
https://github.com/we-promise/sure.git
synced 2026-06-05 18:59:04 +00:00
7017b6340e
* fix(helm): normalize appVersion to strip leading v (#2050) Releases triggered on a tag like `v0.7.1-rc.1` end up writing `appVersion: "v0.7.1-rc.1"` into Chart.yaml / the published index.yaml, but the Docker image is pushed to GHCR without the leading `v` (`ghcr.io/we-promise/sure:0.7.1-rc.1`). Flux CD / any consumer that pulls the chart then fails with `ImagePullBackoff` against `v0.7.1-rc.1` (a tag that doesn't exist). `normalize_version` is already applied to `CHART_VERSION`; route the two tag-derived `APP_VERSION` paths through the same helper so the appVersion matches the published image tag. Closes #2050 * chore(ci): bind helm-publish version inputs to step env (#2050) @coderabbitai (zizmor) flagged that the version-resolve step expanded ${{ inputs.chart_version }} and ${{ inputs.app_version }} directly into bash, which is a template-injection vector — a malicious caller of this reusable workflow could inject shell via an input like '; rm -rf … #'. Bind both inputs to step env (CHART_VERSION_INPUT, APP_VERSION_INPUT) and reference them as shell variables in the conditionals. Behaviour is unchanged; the values just arrive through the env table instead of the runner's template pass. --------- Co-authored-by: jeffrey701 <jeffrey701@users.noreply.github.com>