feat: release v4.1.6#2
Conversation
Pushing a `v*` tag creates a GitHub release and uploads the matching root rockspec to luarocks. Follows the release CI convention used by other api7 lua-resty repositories, adapted to this repo's tag-based release flow and root rockspec layout. Requires the `LUAROCKS_TOKEN` repository secret.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughUpdates release publishing to derive versions from commit messages, adds a versioned rockspec, and changes CI workflows to build from explicit rockspec files. ChangesRelease Workflow
Estimated code review effort: 2 (Simple) | ~10 minutes 🚥 Pre-merge checks | ✅ 6✅ Passed checks (6 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (2)
.github/workflows/release.yml (2)
16-17: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winDisable credential persistence on checkout.
zizmor flags
actions/checkout@v4here for not settingpersist-credentials: false. The job doesn't need to push using the checked-out credentials (release/upload use explicitGH_TOKEN/LUAROCKS_TOKEN), so persisting the token in the local git config is unnecessary exposure.🔒 Proposed fix
- name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yml around lines 16 - 17, The release workflow’s Checkout code step uses actions/checkout@v4 without disabling credential persistence. Update that checkout step to set persist-credentials to false so the job does not leave the GitHub token in the local git config, since later release/upload steps use explicit GH_TOKEN and LUAROCKS_TOKEN instead.Source: Linters/SAST tools
39-51: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winAvoid direct template expansion of step outputs in
run:scripts.zizmor flags lines 43, 44, and 51 for template-injection risk:
${{ steps.release_env.outputs.tag }}and.rockspecare expanded inline into the shell script before execution rather than passed as quoted environment variables. Practical risk is low here since values derive from a maintainer-pushed tag and a filename match on the repo's own naming convention, but hardening is trivial and matches the pattern already used for secrets (GH_TOKEN,LUAROCKS_TOKEN) in this same file.🔒 Proposed fix
- name: Create GitHub release env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RELEASE_TAG: ${{ steps.release_env.outputs.tag }} run: | - gh release create "${{ steps.release_env.outputs.tag }}" \ - --title "${{ steps.release_env.outputs.tag }}" \ + gh release create "${RELEASE_TAG}" \ + --title "${RELEASE_TAG}" \ --generate-notes - name: Upload to luarocks env: LUAROCKS_TOKEN: ${{ secrets.LUAROCKS_TOKEN }} + ROCKSPEC_PATH: ${{ steps.release_env.outputs.rockspec }} run: | - luarocks upload "${{ steps.release_env.outputs.rockspec }}" --api-key="${LUAROCKS_TOKEN}" + luarocks upload "${ROCKSPEC_PATH}" --api-key="${LUAROCKS_TOKEN}"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yml around lines 39 - 51, Inline GitHub Actions template outputs in the release jobs are being expanded directly inside the shell scripts, which zizmor flags as template-injection risk. Update the Create GitHub release and Upload to luarocks steps to pass steps.release_env.outputs.tag and steps.release_env.outputs.rockspec through env variables first, then reference those shell variables in the gh and luarocks commands, matching the existing GH_TOKEN and LUAROCKS_TOKEN pattern.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/release.yml:
- Around line 16-17: The release workflow’s Checkout code step uses
actions/checkout@v4 without disabling credential persistence. Update that
checkout step to set persist-credentials to false so the job does not leave the
GitHub token in the local git config, since later release/upload steps use
explicit GH_TOKEN and LUAROCKS_TOKEN instead.
- Around line 39-51: Inline GitHub Actions template outputs in the release jobs
are being expanded directly inside the shell scripts, which zizmor flags as
template-injection risk. Update the Create GitHub release and Upload to luarocks
steps to pass steps.release_env.outputs.tag and
steps.release_env.outputs.rockspec through env variables first, then reference
those shell variables in the gh and luarocks commands, matching the existing
GH_TOKEN and LUAROCKS_TOKEN pattern.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 66869e6d-d003-4dd4-99b1-ef37b09abf27
📒 Files selected for processing (1)
.github/workflows/release.yml
luarocks upload needs dkjson to communicate with the luarocks.org API, matching the release workflow of other api7 lua-resty repositories.
Trigger on rockspec commits to master (paths: rockspecs/**), parse the version from a 'feat: release vX.Y.Z' commit message, create the GitHub release/tag, and upload rockspecs/lua-resty-session-api7-<version>-0.rockspec to luarocks. Mirrors the release CI of other api7 lua-resty repositories.
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (3)
.github/workflows/release.yml (3)
15-16: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low valueConsider
persist-credentials: falseon checkout.Reduces the risk of the ephemeral
GITHUB_TOKENleaking via the persisted git credential helper for the rest of the job.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yml around lines 15 - 16, The checkout step currently uses the default git credential persistence, which can leave the job token available for later steps. Update the existing actions/checkout usage in the release workflow to disable credential persistence by setting persist-credentials to false on the checkout step, keeping the fix localized to the Checkout code action.Source: Linters/SAST tools
15-16: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winBump
actions/checkoutversion.
actions/checkout@v2is too old to run on the current GitHub Actions runner image; bump to a supported major version (e.g.@v4).🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yml around lines 15 - 16, The Checkout step in the release workflow is using an outdated actions version, so update the actions/checkout reference in the workflow to a supported major version. Locate the Checkout code step in the release job and bump the existing actions/checkout usage to a current release such as v4, keeping the step name and behavior unchanged.Source: Linters/SAST tools
39-47: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win
actions/create-release@v1is archived/unmaintained.The upstream repository for this action is archived, so it receives no fixes or security patches. Migrate to a maintained alternative such as
softprops/action-gh-releaseorgh release createvia the GitHub CLI.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yml around lines 39 - 47, The Create Release step still uses the archived actions/create-release@v1 action, so update the release job to use a maintained release mechanism instead. Replace the existing Create Release step in the workflow with either softprops/action-gh-release or a GitHub CLI gh release create invocation, and keep the current release metadata from release_env.outputs.version so the release tag/name behavior stays the same.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 24-37: The release name extraction step is vulnerable because
`github.event.head_commit.message` is interpolated directly into the bash script
in `release_env`. Move the commit message into an environment variable for that
step, then read it from the shell instead of inline template expansion, and keep
the parsing/validation logic in `Extract release name` using the existing
`re`/`BASH_REMATCH` flow. This prevents untrusted commit text from being treated
as shell syntax while preserving the version parsing behavior.
- Around line 49-54: In the Upload to luarocks step, stop interpolating
steps.release_env.outputs.version_withou_v directly inside the run script and
pass the version through an env var instead to avoid template/script injection.
Also replace the hardcoded rockspec filename in the luarocks upload command with
a version-based glob that matches lua-resty-session-<version>-*.rockspec so the
upload works regardless of revision suffix or the api7 infix.
---
Nitpick comments:
In @.github/workflows/release.yml:
- Around line 15-16: The checkout step currently uses the default git credential
persistence, which can leave the job token available for later steps. Update the
existing actions/checkout usage in the release workflow to disable credential
persistence by setting persist-credentials to false on the checkout step,
keeping the fix localized to the Checkout code action.
- Around line 15-16: The Checkout step in the release workflow is using an
outdated actions version, so update the actions/checkout reference in the
workflow to a supported major version. Locate the Checkout code step in the
release job and bump the existing actions/checkout usage to a current release
such as v4, keeping the step name and behavior unchanged.
- Around line 39-47: The Create Release step still uses the archived
actions/create-release@v1 action, so update the release job to use a maintained
release mechanism instead. Replace the existing Create Release step in the
workflow with either softprops/action-gh-release or a GitHub CLI gh release
create invocation, and keep the current release metadata from
release_env.outputs.version so the release tag/name behavior stays the same.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: e33d26c7-7c7a-46a8-8626-4e4f899dca37
📒 Files selected for processing (1)
.github/workflows/release.yml
Add the release workflow and the 4.1.6 rockspec, published to luarocks as the api7-owned package lua-resty-session-api7. The workflow follows the release CI of other api7 lua-resty repositories (healthcheck / etcd / radixtree / expr): a rockspec commit on master with a 'feat: release vX.Y.Z' message creates the GitHub release/tag and uploads the rockspec to luarocks. Hardened against the script-injection issue present in the reference workflows: the commit message and derived step outputs are passed through env vars instead of being interpolated into the run script.
There was a problem hiding this comment.
🧹 Nitpick comments (3)
.github/workflows/release.yml (3)
45-50: 🧹 Nitpick | 🔵 TrivialNo idempotency guard for re-running the release job.
If the workflow is re-triggered for the same commit (e.g., re-run after a transient failure),
gh release createwill fail outright since the tag/release already exists, requiring manual cleanup.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yml around lines 45 - 50, The Create Release step in the release workflow is not safe to re-run because gh release create will fail when the version already exists. Update the release job around the Create Release step to detect an existing tag/release for the VERSION from release_env before creating it, and skip creation or update the existing release instead so reruns for the same commit are idempotent.
34-43: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winNo validation on parsed version before use in file path.
version_without_vis captured via\S+from an attacker-influenceable commit message and later interpolated into a filesystem path (rockspecs/lua-resty-session-api7-${VERSION_WITHOUT_V}-0.rockspec) forluarocks upload. Since\S+permits/or.., a crafted commit message could reference an unintended path within the checkout. Consider constraining the captured group to a strict semver pattern (e.g.([0-9]+\.[0-9]+\.[0-9]+)).🛡️ Proposed fix
- re="^feat: release v*(\S+)" + re="^feat: release v?([0-9]+\.[0-9]+\.[0-9]+)"Also applies to: 52-58
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yml around lines 34 - 43, The release workflow’s version parsing in the commit-message check is too permissive because `re` in the commit validation step captures `version_without_v` with `\S+`, which can later be used in the rockspec path. Tighten the pattern used in that shell block so `BASH_REMATCH[1]` only accepts a strict semver-style version from `COMMIT_MESSAGE`, and keep the `version`/`version_without_v` outputs based on that validated capture before `luarocks upload` uses `VERSION_WITHOUT_V`.
36-36: 🎯 Functional Correctness | 🔵 Trivial | 💤 Low valueRegex uses
v*(zero-or-more) instead ofv?(optional singlev).
v*also matches multiple leadingvs (e.g.feat: release vv1.2.3), which isn't the intended "optional v prefix" semantics.🔧 Proposed fix
- re="^feat: release v*(\S+)" + re="^feat: release v?(\S+)"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yml at line 36, The release tag matching regex in the workflow uses v* instead of an optional single v, which can match multiple leading v characters. Update the regex in the release workflow to use the existing release pattern with a single optional v prefix so it only accepts versions like feat: release v1.2.3 or feat: release 1.2.3, and keep the change localized to the release rule entry.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/release.yml:
- Around line 45-50: The Create Release step in the release workflow is not safe
to re-run because gh release create will fail when the version already exists.
Update the release job around the Create Release step to detect an existing
tag/release for the VERSION from release_env before creating it, and skip
creation or update the existing release instead so reruns for the same commit
are idempotent.
- Around line 34-43: The release workflow’s version parsing in the
commit-message check is too permissive because `re` in the commit validation
step captures `version_without_v` with `\S+`, which can later be used in the
rockspec path. Tighten the pattern used in that shell block so `BASH_REMATCH[1]`
only accepts a strict semver-style version from `COMMIT_MESSAGE`, and keep the
`version`/`version_without_v` outputs based on that validated capture before
`luarocks upload` uses `VERSION_WITHOUT_V`.
- Line 36: The release tag matching regex in the workflow uses v* instead of an
optional single v, which can match multiple leading v characters. Update the
regex in the release workflow to use the existing release pattern with a single
optional v prefix so it only accepts versions like feat: release v1.2.3 or feat:
release 1.2.3, and keep the change localized to the release rule entry.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: fcb78219-6e82-40be-b203-88c941543270
📒 Files selected for processing (2)
.github/workflows/release.ymlrockspecs/lua-resty-session-api7-4.1.6-0.rockspec
luarocks' get_default_rockspec() scans '.', 'rockspec' and 'rockspecs', so adding rockspecs/ makes a bare 'luarocks make' ambiguous. The tests run inside docker with -w /test, so the cwd basename can't disambiguate by package name either. Pass the root rockspec explicitly.
Adds the release workflow and cuts
v4.1.6, the first api7 release of this fork — carrying the empty-array fix from #1.What's in the release
#1 (
decode_array_with_array_mton the session cjson instance) — without it, an empty array in OIDC userinfo claims (groups,roles) is decoded on session load without the array metatable and re-encoded as{}, corruptingX-Userinfo. See apache/apisix#13440.Release workflow
Follows the release CI of the other api7
lua-restyrepositories (healthcheck / etcd / radixtree / expr):mastertouchingrockspecs/**feat: release vX.Y.Zcommit messageluarocks uploadPublished as
lua-resty-session-api7— an api7-owned luarocks package, matching the-api7convention of the other forks and sidestepping upstream package ownership.Deviations from the reference workflows (deliberate)
The reference workflows interpolate
github.event.head_commit.messagestraight into therun:script, which is a shell-injection vector (flagged by actionlint and zizmor): a crafted commit message can execute arbitrary commands on the runner and exfiltrateLUAROCKS_TOKEN. Here the commit message and the derived step outputs are passed throughenv:vars instead, so no template expansion occurs inside anyrun:body. Also setspersist-credentials: falseon checkout, and usesgh release createrather than the archivedactions/create-release@v1.Merge order
v4.1.6tag points at a commit containing the fix.feat: release v4.1.6(the workflow parses the version from it).LUAROCKS_TOKENrepository secret.Summary by CodeRabbit
masterbranch, deriving the version from a commit-message pattern (fails if it doesn’t match).lua-resty-session-api7rockspec version4.1.6-0with module entrypoints and runtime dependencies.