Skip to content

feat: release v4.1.6#2

Merged
AlinsRan merged 5 commits into
masterfrom
ci/release-luarocks
Jul 9, 2026
Merged

feat: release v4.1.6#2
AlinsRan merged 5 commits into
masterfrom
ci/release-luarocks

Conversation

@AlinsRan

@AlinsRan AlinsRan commented Jul 8, 2026

Copy link
Copy Markdown

Adds the release workflow and cuts v4.1.6, the first api7 release of this fork — carrying the empty-array fix from #1.

What's in the release

#1 (decode_array_with_array_mt on the session cjson instance) — without it, an empty array in OIDC userinfo claims (groups, roles) is decoded on session load without the array metatable and re-encoded as {}, corrupting X-Userinfo. See apache/apisix#13440.

Release workflow

Follows the release CI of the other api7 lua-resty repositories (healthcheck / etcd / radixtree / expr):

  • Triggers on a push to master touching rockspecs/**
  • Parses the version from a feat: release vX.Y.Z commit message
  • Creates the GitHub release + tag, then luarocks upload

Published as lua-resty-session-api7 — an api7-owned luarocks package, matching the -api7 convention of the other forks and sidestepping upstream package ownership.

Deviations from the reference workflows (deliberate)

The reference workflows interpolate github.event.head_commit.message straight into the run: script, which is a shell-injection vector (flagged by actionlint and zizmor): a crafted commit message can execute arbitrary commands on the runner and exfiltrate LUAROCKS_TOKEN. Here the commit message and the derived step outputs are passed through env: vars instead, so no template expansion occurs inside any run: body. Also sets persist-credentials: false on checkout, and uses gh release create rather than the archived actions/create-release@v1.

Merge order

  1. Merge fix(json): preserve empty arrays across decode + re-encode #1 first, so the v4.1.6 tag points at a commit containing the fix.
  2. Merge this PR with the commit message feat: release v4.1.6 (the workflow parses the version from it).
  3. Requires the LUAROCKS_TOKEN repository secret.

Summary by CodeRabbit

  • Chores
    • Updated automated publishing to run on changes to release artifacts on the master branch, deriving the version from a commit-message pattern (fails if it doesn’t match).
    • GitHub Releases are created with generated notes from the extracted version, and the corresponding rockspec is uploaded to Luarocks using the configured token.
  • Packaging
    • Added lua-resty-session-api7 rockspec version 4.1.6-0 with module entrypoints and runtime dependencies.
  • Tests
    • Improved integration/unit test workflows by adjusting how rockspecs are built and ensuring the intended Lua version is used.

Pushing a `v*` tag creates a GitHub release and uploads the matching
root rockspec to luarocks. Follows the release CI convention used by
other api7 lua-resty repositories, adapted to this repo's tag-based
release flow and root rockspec layout.

Requires the `LUAROCKS_TOKEN` repository secret.
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 374e0a7c-4e09-443f-8907-802f1fd329de

📥 Commits

Reviewing files that changed from the base of the PR and between 0f516c7 and 563fe68.

📒 Files selected for processing (2)
  • .github/workflows/integration_tests.yaml
  • .github/workflows/unit_tests.yaml
✅ Files skipped from review due to trivial changes (1)
  • .github/workflows/unit_tests.yaml

📝 Walkthrough

Walkthrough

Updates release publishing to derive versions from commit messages, adds a versioned rockspec, and changes CI workflows to build from explicit rockspec files.

Changes

Release Workflow

Layer / File(s) Summary
Workflow trigger and publish flow
.github/workflows/release.yml
Switches the release workflow to a master push trigger for rockspecs/** changes, validates the head commit message format, derives version outputs, creates a GitHub Release, installs dkjson, and uploads the computed rockspec to Luarocks.
Versioned rockspec metadata
rockspecs/lua-resty-session-api7-4.1.6-0.rockspec
Adds rockspecs/lua-resty-session-api7-4.1.6-0.rockspec with package metadata, dependencies, source information, and builtin module mappings.
CI rockspec build commands
.github/workflows/integration_tests.yaml, .github/workflows/unit_tests.yaml
Updates the integration and unit test workflows to run luarocks against explicit ./*.rockspec inputs, and pins --lua-version 5.1 in the unit-test build and report steps.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 6
✅ Passed checks (6 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: releasing v4.1.6.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
E2e Test Quality Review ✅ Passed PASS: Existing suite already has real Test::Nginx integration coverage; this PR only pins the root rockspec and doesn’t reduce test completeness or readability.
Security Check ✅ Passed No security issues found in the added release workflow, rockspec, or test workflow edits; no secret exposure, auth bypass, TLS, or secret-handling regressions.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/release-luarocks

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
.github/workflows/release.yml (2)

16-17: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Disable credential persistence on checkout.

zizmor flags actions/checkout@v4 here for not setting persist-credentials: false. The job doesn't need to push using the checked-out credentials (release/upload use explicit GH_TOKEN/LUAROCKS_TOKEN), so persisting the token in the local git config is unnecessary exposure.

🔒 Proposed fix
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 16 - 17, The release workflow’s
Checkout code step uses actions/checkout@v4 without disabling credential
persistence. Update that checkout step to set persist-credentials to false so
the job does not leave the GitHub token in the local git config, since later
release/upload steps use explicit GH_TOKEN and LUAROCKS_TOKEN instead.

Source: Linters/SAST tools


39-51: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Avoid direct template expansion of step outputs in run: scripts.

zizmor flags lines 43, 44, and 51 for template-injection risk: ${{ steps.release_env.outputs.tag }} and .rockspec are expanded inline into the shell script before execution rather than passed as quoted environment variables. Practical risk is low here since values derive from a maintainer-pushed tag and a filename match on the repo's own naming convention, but hardening is trivial and matches the pattern already used for secrets (GH_TOKEN, LUAROCKS_TOKEN) in this same file.

🔒 Proposed fix
       - name: Create GitHub release
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_TAG: ${{ steps.release_env.outputs.tag }}
         run: |
-          gh release create "${{ steps.release_env.outputs.tag }}" \
-            --title "${{ steps.release_env.outputs.tag }}" \
+          gh release create "${RELEASE_TAG}" \
+            --title "${RELEASE_TAG}" \
             --generate-notes

       - name: Upload to luarocks
         env:
           LUAROCKS_TOKEN: ${{ secrets.LUAROCKS_TOKEN }}
+          ROCKSPEC_PATH: ${{ steps.release_env.outputs.rockspec }}
         run: |
-          luarocks upload "${{ steps.release_env.outputs.rockspec }}" --api-key="${LUAROCKS_TOKEN}"
+          luarocks upload "${ROCKSPEC_PATH}" --api-key="${LUAROCKS_TOKEN}"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 39 - 51, Inline GitHub Actions
template outputs in the release jobs are being expanded directly inside the
shell scripts, which zizmor flags as template-injection risk. Update the Create
GitHub release and Upload to luarocks steps to pass
steps.release_env.outputs.tag and steps.release_env.outputs.rockspec through env
variables first, then reference those shell variables in the gh and luarocks
commands, matching the existing GH_TOKEN and LUAROCKS_TOKEN pattern.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 16-17: The release workflow’s Checkout code step uses
actions/checkout@v4 without disabling credential persistence. Update that
checkout step to set persist-credentials to false so the job does not leave the
GitHub token in the local git config, since later release/upload steps use
explicit GH_TOKEN and LUAROCKS_TOKEN instead.
- Around line 39-51: Inline GitHub Actions template outputs in the release jobs
are being expanded directly inside the shell scripts, which zizmor flags as
template-injection risk. Update the Create GitHub release and Upload to luarocks
steps to pass steps.release_env.outputs.tag and
steps.release_env.outputs.rockspec through env variables first, then reference
those shell variables in the gh and luarocks commands, matching the existing
GH_TOKEN and LUAROCKS_TOKEN pattern.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 66869e6d-d003-4dd4-99b1-ef37b09abf27

📥 Commits

Reviewing files that changed from the base of the PR and between 505ff72 and ef3f423.

📒 Files selected for processing (1)
  • .github/workflows/release.yml

AlinsRan added 2 commits July 8, 2026 14:51
luarocks upload needs dkjson to communicate with the luarocks.org API,
matching the release workflow of other api7 lua-resty repositories.
Trigger on rockspec commits to master (paths: rockspecs/**), parse the
version from a 'feat: release vX.Y.Z' commit message, create the GitHub
release/tag, and upload rockspecs/lua-resty-session-api7-<version>-0.rockspec
to luarocks. Mirrors the release CI of other api7 lua-resty repositories.
@AlinsRan AlinsRan changed the title ci: add release workflow to publish to luarocks on tag ci: add release workflow (aligned with api7 lua-resty-healthcheck) Jul 8, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (3)
.github/workflows/release.yml (3)

15-16: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Consider persist-credentials: false on checkout.

Reduces the risk of the ephemeral GITHUB_TOKEN leaking via the persisted git credential helper for the rest of the job.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 15 - 16, The checkout step
currently uses the default git credential persistence, which can leave the job
token available for later steps. Update the existing actions/checkout usage in
the release workflow to disable credential persistence by setting
persist-credentials to false on the checkout step, keeping the fix localized to
the Checkout code action.

Source: Linters/SAST tools


15-16: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Bump actions/checkout version.

actions/checkout@v2 is too old to run on the current GitHub Actions runner image; bump to a supported major version (e.g. @v4).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 15 - 16, The Checkout step in the
release workflow is using an outdated actions version, so update the
actions/checkout reference in the workflow to a supported major version. Locate
the Checkout code step in the release job and bump the existing actions/checkout
usage to a current release such as v4, keeping the step name and behavior
unchanged.

Source: Linters/SAST tools


39-47: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

actions/create-release@v1 is archived/unmaintained.

The upstream repository for this action is archived, so it receives no fixes or security patches. Migrate to a maintained alternative such as softprops/action-gh-release or gh release create via the GitHub CLI.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 39 - 47, The Create Release step
still uses the archived actions/create-release@v1 action, so update the release
job to use a maintained release mechanism instead. Replace the existing Create
Release step in the workflow with either softprops/action-gh-release or a GitHub
CLI gh release create invocation, and keep the current release metadata from
release_env.outputs.version so the release tag/name behavior stays the same.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 24-37: The release name extraction step is vulnerable because
`github.event.head_commit.message` is interpolated directly into the bash script
in `release_env`. Move the commit message into an environment variable for that
step, then read it from the shell instead of inline template expansion, and keep
the parsing/validation logic in `Extract release name` using the existing
`re`/`BASH_REMATCH` flow. This prevents untrusted commit text from being treated
as shell syntax while preserving the version parsing behavior.
- Around line 49-54: In the Upload to luarocks step, stop interpolating
steps.release_env.outputs.version_withou_v directly inside the run script and
pass the version through an env var instead to avoid template/script injection.
Also replace the hardcoded rockspec filename in the luarocks upload command with
a version-based glob that matches lua-resty-session-<version>-*.rockspec so the
upload works regardless of revision suffix or the api7 infix.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 15-16: The checkout step currently uses the default git credential
persistence, which can leave the job token available for later steps. Update the
existing actions/checkout usage in the release workflow to disable credential
persistence by setting persist-credentials to false on the checkout step,
keeping the fix localized to the Checkout code action.
- Around line 15-16: The Checkout step in the release workflow is using an
outdated actions version, so update the actions/checkout reference in the
workflow to a supported major version. Locate the Checkout code step in the
release job and bump the existing actions/checkout usage to a current release
such as v4, keeping the step name and behavior unchanged.
- Around line 39-47: The Create Release step still uses the archived
actions/create-release@v1 action, so update the release job to use a maintained
release mechanism instead. Replace the existing Create Release step in the
workflow with either softprops/action-gh-release or a GitHub CLI gh release
create invocation, and keep the current release metadata from
release_env.outputs.version so the release tag/name behavior stays the same.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e33d26c7-7c7a-46a8-8626-4e4f899dca37

📥 Commits

Reviewing files that changed from the base of the PR and between ef3f423 and c104ade.

📒 Files selected for processing (1)
  • .github/workflows/release.yml

Comment thread .github/workflows/release.yml
Comment thread .github/workflows/release.yml Outdated
Add the release workflow and the 4.1.6 rockspec, published to luarocks as
the api7-owned package lua-resty-session-api7.

The workflow follows the release CI of other api7 lua-resty repositories
(healthcheck / etcd / radixtree / expr): a rockspec commit on master with a
'feat: release vX.Y.Z' message creates the GitHub release/tag and uploads
the rockspec to luarocks.

Hardened against the script-injection issue present in the reference
workflows: the commit message and derived step outputs are passed through
env vars instead of being interpolated into the run script.
@AlinsRan AlinsRan changed the title ci: add release workflow (aligned with api7 lua-resty-healthcheck) feat: release v4.1.6 Jul 9, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (3)
.github/workflows/release.yml (3)

45-50: 🧹 Nitpick | 🔵 Trivial

No idempotency guard for re-running the release job.

If the workflow is re-triggered for the same commit (e.g., re-run after a transient failure), gh release create will fail outright since the tag/release already exists, requiring manual cleanup.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 45 - 50, The Create Release step
in the release workflow is not safe to re-run because gh release create will
fail when the version already exists. Update the release job around the Create
Release step to detect an existing tag/release for the VERSION from release_env
before creating it, and skip creation or update the existing release instead so
reruns for the same commit are idempotent.

34-43: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

No validation on parsed version before use in file path.

version_without_v is captured via \S+ from an attacker-influenceable commit message and later interpolated into a filesystem path (rockspecs/lua-resty-session-api7-${VERSION_WITHOUT_V}-0.rockspec) for luarocks upload. Since \S+ permits / or .., a crafted commit message could reference an unintended path within the checkout. Consider constraining the captured group to a strict semver pattern (e.g. ([0-9]+\.[0-9]+\.[0-9]+)).

🛡️ Proposed fix
-          re="^feat: release v*(\S+)"
+          re="^feat: release v?([0-9]+\.[0-9]+\.[0-9]+)"

Also applies to: 52-58

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 34 - 43, The release workflow’s
version parsing in the commit-message check is too permissive because `re` in
the commit validation step captures `version_without_v` with `\S+`, which can
later be used in the rockspec path. Tighten the pattern used in that shell block
so `BASH_REMATCH[1]` only accepts a strict semver-style version from
`COMMIT_MESSAGE`, and keep the `version`/`version_without_v` outputs based on
that validated capture before `luarocks upload` uses `VERSION_WITHOUT_V`.

36-36: 🎯 Functional Correctness | 🔵 Trivial | 💤 Low value

Regex uses v* (zero-or-more) instead of v? (optional single v).

v* also matches multiple leading vs (e.g. feat: release vv1.2.3), which isn't the intended "optional v prefix" semantics.

🔧 Proposed fix
-          re="^feat: release v*(\S+)"
+          re="^feat: release v?(\S+)"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 36, The release tag matching regex in
the workflow uses v* instead of an optional single v, which can match multiple
leading v characters. Update the regex in the release workflow to use the
existing release pattern with a single optional v prefix so it only accepts
versions like feat: release v1.2.3 or feat: release 1.2.3, and keep the change
localized to the release rule entry.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 45-50: The Create Release step in the release workflow is not safe
to re-run because gh release create will fail when the version already exists.
Update the release job around the Create Release step to detect an existing
tag/release for the VERSION from release_env before creating it, and skip
creation or update the existing release instead so reruns for the same commit
are idempotent.
- Around line 34-43: The release workflow’s version parsing in the
commit-message check is too permissive because `re` in the commit validation
step captures `version_without_v` with `\S+`, which can later be used in the
rockspec path. Tighten the pattern used in that shell block so `BASH_REMATCH[1]`
only accepts a strict semver-style version from `COMMIT_MESSAGE`, and keep the
`version`/`version_without_v` outputs based on that validated capture before
`luarocks upload` uses `VERSION_WITHOUT_V`.
- Line 36: The release tag matching regex in the workflow uses v* instead of an
optional single v, which can match multiple leading v characters. Update the
regex in the release workflow to use the existing release pattern with a single
optional v prefix so it only accepts versions like feat: release v1.2.3 or feat:
release 1.2.3, and keep the change localized to the release rule entry.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fcb78219-6e82-40be-b203-88c941543270

📥 Commits

Reviewing files that changed from the base of the PR and between c104ade and 0f516c7.

📒 Files selected for processing (2)
  • .github/workflows/release.yml
  • rockspecs/lua-resty-session-api7-4.1.6-0.rockspec

luarocks' get_default_rockspec() scans '.', 'rockspec' and 'rockspecs',
so adding rockspecs/ makes a bare 'luarocks make' ambiguous. The tests run
inside docker with -w /test, so the cwd basename can't disambiguate by
package name either. Pass the root rockspec explicitly.
@AlinsRan AlinsRan merged commit bd4d34a into master Jul 9, 2026
4 checks passed
@AlinsRan AlinsRan deleted the ci/release-luarocks branch July 9, 2026 06:21
AlinsRan added a commit that referenced this pull request Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant