From e2aa696a1763bf717e7f593eaf310d64e97228dd Mon Sep 17 00:00:00 2001 From: Harrison Cramer Date: Wed, 4 Mar 2026 07:24:30 -0500 Subject: [PATCH 1/4] fix: install correct version in action --- actions/setup-cli/install.sh | 10 ++++++++-- actions/setup-cli/install_test.sh | 15 ++++++++------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/actions/setup-cli/install.sh b/actions/setup-cli/install.sh index e1ac3479a12..27068c344ff 100755 --- a/actions/setup-cli/install.sh +++ b/actions/setup-cli/install.sh @@ -239,8 +239,14 @@ fi if [ "$TRY_GH_INSTALL" = true ] && command -v gh &> /dev/null; then print_info "Attempting to install gh-aw using 'gh extension install'..." + # Build the install command with version pinning if specified + INSTALL_CMD="gh extension install \"$REPO\" --force" + if [ -n "$VERSION" ] && [ "$VERSION" != "latest" ]; then + INSTALL_CMD="gh extension install \"$REPO\" --force --pin \"$VERSION\"" + fi + # Try to install using gh - if gh extension install "$REPO" --force 2>&1 | tee /tmp/gh-install.log; then + if eval "$INSTALL_CMD" 2>&1 | tee /tmp/gh-install.log; then # Verify the installation succeeded if gh aw version &> /dev/null; then INSTALLED_VERSION=$(gh aw version 2>&1 | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' | head -1) @@ -249,7 +255,7 @@ if [ "$TRY_GH_INSTALL" = true ] && command -v gh &> /dev/null; then # Set output for GitHub Actions if [ -n "${GITHUB_OUTPUT}" ]; then - echo "installed_version=${VERSION}" >> "${GITHUB_OUTPUT}" + echo "installed_version=${INSTALLED_VERSION}" >> "${GITHUB_OUTPUT}" fi exit 0 diff --git a/actions/setup-cli/install_test.sh b/actions/setup-cli/install_test.sh index 3601d322843..b66574ce064 100755 --- a/actions/setup-cli/install_test.sh +++ b/actions/setup-cli/install_test.sh @@ -82,15 +82,16 @@ test_gh_install() { fi } -# Test 5: Verify release validation -test_release_validation() { +# Test 5: Verify version pinning support +test_version_pinning() { echo "" - echo "Test 5: Verify release validation" + echo "Test 5: Verify version pinning for gh extension install" - if grep -q "Validating release.*exists" "$SCRIPT_PATH"; then - print_result "Script includes release validation" "PASS" + # Check if script uses --pin flag for version specification + if grep -q "\-\-pin.*VERSION" "$SCRIPT_PATH"; then + print_result "Script supports version pinning" "PASS" else - print_result "Script missing release validation" "FAIL" + print_result "Script missing version pinning support" "FAIL" fi } @@ -116,7 +117,7 @@ test_script_syntax test_executable test_input_version test_gh_install -test_release_validation +test_version_pinning test_checksum_validation # Summary From 8f2c97561c4d21321b0c7ab22c354e6c7986a1e2 Mon Sep 17 00:00:00 2001 From: Harrison Cramer Date: Wed, 4 Mar 2026 08:48:26 -0500 Subject: [PATCH 2/4] Updated actions/setup-cli/install_test.sh --- actions/setup-cli/install_test.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/actions/setup-cli/install_test.sh b/actions/setup-cli/install_test.sh index b66574ce064..1b434c3bfe4 100755 --- a/actions/setup-cli/install_test.sh +++ b/actions/setup-cli/install_test.sh @@ -87,11 +87,12 @@ test_version_pinning() { echo "" echo "Test 5: Verify version pinning for gh extension install" - # Check if script uses --pin flag for version specification - if grep -q "\-\-pin.*VERSION" "$SCRIPT_PATH"; then - print_result "Script supports version pinning" "PASS" + # Check if script uses --pin flag with $VERSION variable AND checks VERSION != "latest" + if grep -q -- '--pin.*\$VERSION' "$SCRIPT_PATH" && \ + grep -q '"\$VERSION" != "latest"' "$SCRIPT_PATH"; then + print_result "Script supports version pinning with correct variable usage" "PASS" else - print_result "Script missing version pinning support" "FAIL" + print_result "Script missing proper version pinning support (must use --pin with \$VERSION and check VERSION != latest)" "FAIL" fi } From bfef6a855a79e3b77a9d99550a62dec18cde5726 Mon Sep 17 00:00:00 2001 From: Harrison Cramer Date: Wed, 4 Mar 2026 08:50:43 -0500 Subject: [PATCH 3/4] Updated actions/setup-cli/install_test.sh --- actions/setup-cli/install_test.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/actions/setup-cli/install_test.sh b/actions/setup-cli/install_test.sh index 1b434c3bfe4..d9773bee4a0 100755 --- a/actions/setup-cli/install_test.sh +++ b/actions/setup-cli/install_test.sh @@ -59,7 +59,7 @@ test_executable() { # Test 3: Verify INPUT_VERSION support test_input_version() { echo "" - echo "Test 4: Verify INPUT_VERSION environment variable support" + echo "Test 3: Verify INPUT_VERSION environment variable support" # Check if script references INPUT_VERSION if grep -q "INPUT_VERSION" "$SCRIPT_PATH"; then @@ -69,10 +69,10 @@ test_input_version() { fi } -# Test 5: Verify gh extension install attempt +# Test 4: Verify gh extension install attempt test_gh_install() { echo "" - echo "Test 5: Verify gh extension install logic" + echo "Test 4: Verify gh extension install logic" # Check if script has gh extension install logic if grep -q "gh extension install" "$SCRIPT_PATH"; then From 13d797a49130807a695cb4284fc0f45a2d8346b5 Mon Sep 17 00:00:00 2001 From: Harrison Cramer Date: Wed, 4 Mar 2026 08:55:35 -0500 Subject: [PATCH 4/4] Add security fix --- actions/setup-cli/install.sh | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/actions/setup-cli/install.sh b/actions/setup-cli/install.sh index 27068c344ff..f02a0dc0e16 100755 --- a/actions/setup-cli/install.sh +++ b/actions/setup-cli/install.sh @@ -239,14 +239,15 @@ fi if [ "$TRY_GH_INSTALL" = true ] && command -v gh &> /dev/null; then print_info "Attempting to install gh-aw using 'gh extension install'..." - # Build the install command with version pinning if specified - INSTALL_CMD="gh extension install \"$REPO\" --force" + # Call gh extension install directly to avoid command injection + install_result=0 if [ -n "$VERSION" ] && [ "$VERSION" != "latest" ]; then - INSTALL_CMD="gh extension install \"$REPO\" --force --pin \"$VERSION\"" + gh extension install "$REPO" --force --pin "$VERSION" 2>&1 | tee /tmp/gh-install.log || install_result=$? + else + gh extension install "$REPO" --force 2>&1 | tee /tmp/gh-install.log || install_result=$? fi - # Try to install using gh - if eval "$INSTALL_CMD" 2>&1 | tee /tmp/gh-install.log; then + if [ $install_result -eq 0 ]; then # Verify the installation succeeded if gh aw version &> /dev/null; then INSTALLED_VERSION=$(gh aw version 2>&1 | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' | head -1)