Sanitizing Quotes in PR Titles #27065
-
I want to script our release automation to handle PR titles and descriptions. However, when a PR’s title or description contains any single or double quotes or other control characters like backticks, the shell interprets those quotes and causes the action to fail. Here’s an example of the problem I’m talking about. If the PR title or description contains a quote, this action fails. By the time sed gets access to sanitize the input, it’s already too late and the Github Action has terminated. Is there any mechanism I can use to sanitize the PR body and title input before the step reaches a syntax error?
Before anyone asks, the built-in |
Beta Was this translation helpful? Give feedback.
Replies: 7 comments 1 reply
-
I don’t think there’s a built-in way to do that. What I’d do is read the file For example, to get a shell-escaped version of the pull request title using Python in the
Maybe the documentation should actually warn about directly using user-supplied data in workflows… 🤔 |
Beta Was this translation helpful? Give feedback.
-
Hey, this has got me very close to a solution, but I’m seeing an issue when I echo the contents of
Results in:
Should I be using something other than |
Beta Was this translation helpful? Give feedback.
-
Could you share a bit more about how your workflow and the inputs look? In most cases |
Beta Was this translation helpful? Give feedback.
-
Sure thing. When a pull request is merged, I’m adding the pull request title to the end of a markdown file (changelog). I want to cover bases where the PR title has single or double quotes, but also backticks. These are the two steps doing the processing:
And this is converting this: To this in the file: |
Beta Was this translation helpful? Give feedback.
-
I think removing the
This is producing the correct output. Does anything look dangerous? |
Beta Was this translation helpful? Give feedback.
-
It depends on what kind of escaping you need, so if you don’t need a shell-escaped version of the title that should work. But if you just want to append to the changelog, why not do it directly from the Python fragment, without the detour via |
Beta Was this translation helpful? Give feedback.
-
According to the docs, loading it into an env var first works: |
Beta Was this translation helpful? Give feedback.
I don’t think there’s a built-in way to do that. What I’d do is read the file
github.event_path
points at with a JSON parser and sanitize the fields from there, without first having to pass the strings through the shell (or any other programming language).For example, to get a shell-escaped version of the pull request title using Python in the
PR_TITLE
environment variable: