Skip to content

fix(ci): harden version validation and verify sed substitutions in release pipelines#59

Merged
adityamehra merged 1 commit into
mainfrom
fix/release-pipeline-sed-validation
Jun 30, 2026
Merged

fix(ci): harden version validation and verify sed substitutions in release pipelines#59
adityamehra merged 1 commit into
mainfrom
fix/release-pipeline-sed-validation

Conversation

@adityamehra

Copy link
Copy Markdown
Member

Summary

Addresses two issues raised in PR reviews of the release pipeline workflows (#52 and #56), applied consistently across all three PyPI release workflows (splunk-ao, splunk-ao-adk, splunk-ao-a2a).

Changes

1. Fix: multi-line input bypass in version validation

Issue: grep -Eq '^...$' matches on a per-line basis, so a multi-line string like 0.1.0\n<payload> passes the check — the first line matches and the rest is ignored. A maintainer dispatching the workflow via the REST API or gh workflow run can inject newlines into the version input, which then flows unsanitized into the sed replacement string.

Fix: Replaced grep -Eq with bash [[ =~ ]], whose ^/$ anchors apply to the entire string, not individual lines. Multi-line inputs are unconditionally rejected.

# Before
if ! printf '%s' "$INPUT_VERSION" | grep -Eq '^[0-9]+...'; then

# After
if [[ ! "$INPUT_VERSION" =~ ^[0-9]+... ]]; then

2. Fix: silent sed no-op on version format drift

Issue: If the version = "..." line format in pyproject.toml or __version__ = "..." in the version file ever drifts (e.g. extra spaces, moved table), sed silently exits 0 with no replacements. The build then proceeds with the stale version — a silent wrong-version release.

Fix: Added grep -q assertions after each sed call to verify the expected line is now present. Failure exits loudly with a ::error:: annotation.

sed -i "s/^version = \".*\"/version = \"${INPUT_VERSION}\"/" pyproject.toml
if ! grep -q "^version = \"${INPUT_VERSION}\"" pyproject.toml; then
  echo "::error::Failed to set version in pyproject.toml — the version line format may have changed."
  exit 1
fi

Files changed

  • .github/workflows/release-splunk-ao.yaml
  • .github/workflows/release-splunk-ao-adk.yaml
  • .github/workflows/release-splunk-ao-a2a.yaml

Related

…lease pipelines

Two security/reliability improvements applied to all three PyPI release
workflows (splunk-ao, splunk-ao-adk, splunk-ao-a2a):

1. Switch grep -Eq to bash [[ =~ ]] for version validation
   grep -E matches on a per-line basis, so a multi-line input like
   "0.1.0\n<payload>" passes the check even though it is not a valid
   version. bash [[ =~ ]] anchors ^ and $ to the entire string, making
   multi-line inputs impossible to sneak through.

2. Verify each sed substitution actually matched
   If the version line format in pyproject.toml or the __version__ file
   ever drifts, sed silently no-ops and the build proceeds with the
   stale version. Added grep -q assertions after each sed call so a
   mismatch fails loudly instead of producing a silent wrong-version
   release.

Co-authored-by: Cursor <cursoragent@cursor.com>

@fercor-cisco fercor-cisco left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 This review was generated by the Astra agent (claude-opus-4-8). It may contain mistakes.

Verdict: approve — Both hardening fixes are correct, consistently applied across all three workflows, and introduce no regressions.

Follow-ups

Suggested follow-up work that could be tracked as Shortcut stories:

  • .github/workflows/release-splunk-ao-adk.yaml:45-45: The src/splunk_ao_adk/__init__.py and src/splunk_ao_a2a/_version.py paths referenced by the adk/a2a release workflows do not exist in this repository's src/ tree (only src/splunk_ao/ and src/galileo/ are present). If these packages are expected to be built from this repo, the sed step (and now the new grep verification) will fail at runtime. Worth confirming these workflows target the correct repo/paths. Pre-existing and out of scope for this PR.

exit 1
fi
sed -i "s/__version__ = \".*\"/__version__ = \"${INPUT_VERSION}\"/" src/splunk_ao/__init__.py
if ! grep -q "__version__ = \"${INPUT_VERSION}\"" src/splunk_ao/__init__.py; then

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 nit (other): The pyproject.toml verification is anchored (^version = ...) but the __version__ verification is not. Anchoring it too would make the check more precise and consistent — it guards against accidentally matching an unrelated occurrence (e.g. in a comment or docstring) while the real assignment line was missed by sed. Low priority since sed would update any matching line anyway.

Suggested change
if ! grep -q "__version__ = \"${INPUT_VERSION}\"" src/splunk_ao/__init__.py; then
if ! grep -q "^__version__ = \"${INPUT_VERSION}\"" src/splunk_ao/__init__.py; then

🤖 Generated by Astra

@fercor-cisco fercor-cisco left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved; see the minor suggestion above.

@adityamehra
adityamehra merged commit 52a4019 into main Jun 30, 2026
13 checks passed
@adityamehra
adityamehra deleted the fix/release-pipeline-sed-validation branch June 30, 2026 19:32
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 30, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants