chore: Cherry-pick v2.16-master#130
Conversation
Signed-off-by: Anurag Rajawat <anurag@stepsecurity.io>
Signed-off-by: Anurag Rajawat <anurag@stepsecurity.io>
|
📦 Target Release Version: v2.18 |
|
Node-based action review - see inline comments for details. |
1 similar comment
|
Node-based action review - see inline comments for details. |
PR ReviewAction TypeNode-based action (uses node24 runtime with dist/index.js entry point). Passed Checks
Failed Checks
Warnings
Security Findings
SummaryThe cherry-pick brings meaningful correctness improvements (strict amount parsing, URL-safe encoding, ANSI escape fix) from upstream. Two issues must be resolved before merging: the LICENSE file must also credit the original upstream author alongside StepSecurity, and the unused @actions/http-client dependency must be removed from package.json. |
|
|
||
| let url = "PATCH " + path_(); | ||
| url += "/actions/variables/" + name; | ||
| url += "/actions/variables/" + encodeURIComponent(name); |
There was a problem hiding this comment.
Good fix: adding encodeURIComponent() here prevents URL-path injection if a variable name contains /, ?, #, or other special characters. Same fix applied correctly to getVariable at the equivalent line below.
|
|
||
| try { | ||
|
|
||
| if (name === "") { |
There was a problem hiding this comment.
This guard works correctly — a plain new Error(...) has no .status property, so the catch clause will not swallow it silently (it sees e.status !== 404 → true → calls setFailed and returns). However, the intent would be clearer if this check is moved before the outer try block, since there is no reason to attempt the API call when the name is already known to be empty.
|
Superseded by #132. |
No description provided.