From e80106d2b397ef80488f2023480e0b900b3ba187 Mon Sep 17 00:00:00 2001 From: Lucas Bedatty Date: Thu, 26 Mar 2026 18:15:30 -0300 Subject: [PATCH 1/3] fix(slack): remove username and icon overrides to use app identity --- .github/workflows/slack-notify.yml | 2 -- src/notify/slack-notify/action.yml | 2 -- 2 files changed, 4 deletions(-) diff --git a/.github/workflows/slack-notify.yml b/.github/workflows/slack-notify.yml index 929bf44a..819aa990 100644 --- a/.github/workflows/slack-notify.yml +++ b/.github/workflows/slack-notify.yml @@ -144,8 +144,6 @@ jobs: env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} SLACK_COLOR: ${{ steps.settings.outputs.color }} - SLACK_USERNAME: GitHub Actions - SLACK_ICON: https://github.githubassets.com/assets/GitHub-Mark-ea2971cee799.png SLACK_TITLE: ${{ github.repository }} SLACK_MESSAGE: ${{ steps.message.outputs.message }} SLACK_FOOTER: "Workflow: ${{ inputs.workflow_name }}" diff --git a/src/notify/slack-notify/action.yml b/src/notify/slack-notify/action.yml index d265944e..8b3a0b5e 100644 --- a/src/notify/slack-notify/action.yml +++ b/src/notify/slack-notify/action.yml @@ -121,8 +121,6 @@ runs: env: SLACK_WEBHOOK: ${{ inputs.webhook-url }} SLACK_COLOR: ${{ steps.settings.outputs.color }} - SLACK_USERNAME: GitHub Actions - SLACK_ICON: https://github.githubassets.com/assets/GitHub-Mark-ea2971cee799.png SLACK_TITLE: ${{ github.repository }} SLACK_MESSAGE: ${{ steps.message.outputs.message }} SLACK_FOOTER: "Workflow: ${{ inputs.workflow-name }}" From ce323616db4d7addd0c5884f570f5dd329b8f5a7 Mon Sep 17 00:00:00 2001 From: Lucas Bedatty Date: Thu, 26 Mar 2026 18:19:48 -0300 Subject: [PATCH 2/3] fix(slack): pin action SHA, quote GITHUB_OUTPUT, group redirects --- .github/workflows/slack-notify.yml | 22 +++++++++++++--------- src/notify/slack-notify/action.yml | 22 +++++++++++++--------- 2 files changed, 26 insertions(+), 18 deletions(-) diff --git a/.github/workflows/slack-notify.yml b/.github/workflows/slack-notify.yml index 819aa990..94169493 100644 --- a/.github/workflows/slack-notify.yml +++ b/.github/workflows/slack-notify.yml @@ -47,10 +47,10 @@ jobs: id: check_webhook run: | if [ -z "${{ secrets.SLACK_WEBHOOK_URL }}" ]; then - echo "skip=true" >> $GITHUB_OUTPUT + echo "skip=true" >> "$GITHUB_OUTPUT" echo "āš ļø SLACK_WEBHOOK_URL not configured - skipping notification" else - echo "skip=false" >> $GITHUB_OUTPUT + echo "skip=false" >> "$GITHUB_OUTPUT" echo "āœ… Slack webhook configured" fi @@ -83,9 +83,11 @@ jobs: ;; esac - echo "color=$COLOR" >> $GITHUB_OUTPUT - echo "emoji=$EMOJI" >> $GITHUB_OUTPUT - echo "status_text=$STATUS_TEXT" >> $GITHUB_OUTPUT + { + echo "color=$COLOR" + echo "emoji=$EMOJI" + echo "status_text=$STATUS_TEXT" + } >> "$GITHUB_OUTPUT" - name: Build notification message if: steps.check_webhook.outputs.skip != 'true' @@ -134,13 +136,15 @@ jobs: # Add link to workflow run MESSAGE="$MESSAGE\n\n<$RUN_URL|šŸ”— View Workflow Run>" - echo "message<> $GITHUB_OUTPUT - echo -e "$MESSAGE" >> $GITHUB_OUTPUT - echo "EOF" >> $GITHUB_OUTPUT + { + echo "message<> "$GITHUB_OUTPUT" - name: Send Slack notification if: steps.check_webhook.outputs.skip != 'true' - uses: rtCamp/action-slack-notify@v2 + uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2 env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} SLACK_COLOR: ${{ steps.settings.outputs.color }} diff --git a/src/notify/slack-notify/action.yml b/src/notify/slack-notify/action.yml index 8b3a0b5e..22b37880 100644 --- a/src/notify/slack-notify/action.yml +++ b/src/notify/slack-notify/action.yml @@ -29,10 +29,10 @@ runs: shell: bash run: | if [ -z "${{ inputs.webhook-url }}" ]; then - echo "skip=true" >> $GITHUB_OUTPUT + echo "skip=true" >> "$GITHUB_OUTPUT" echo "::notice::SLACK_WEBHOOK_URL not configured ā€” skipping notification" else - echo "skip=false" >> $GITHUB_OUTPUT + echo "skip=false" >> "$GITHUB_OUTPUT" fi # ----------------- Build Notification ----------------- @@ -66,9 +66,11 @@ runs: ;; esac - echo "color=$COLOR" >> $GITHUB_OUTPUT - echo "emoji=$EMOJI" >> $GITHUB_OUTPUT - echo "status_text=$STATUS_TEXT" >> $GITHUB_OUTPUT + { + echo "color=$COLOR" + echo "emoji=$EMOJI" + echo "status_text=$STATUS_TEXT" + } >> "$GITHUB_OUTPUT" - name: Build notification message if: steps.check-webhook.outputs.skip != 'true' @@ -110,14 +112,16 @@ runs: MESSAGE="$MESSAGE\n\n<$RUN_URL|šŸ”— View Workflow Run>" - echo "message<> $GITHUB_OUTPUT - echo -e "$MESSAGE" >> $GITHUB_OUTPUT - echo "EOF" >> $GITHUB_OUTPUT + { + echo "message<> "$GITHUB_OUTPUT" # ----------------- Send Notification ----------------- - name: Send Slack notification if: steps.check-webhook.outputs.skip != 'true' - uses: rtCamp/action-slack-notify@v2 + uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2 env: SLACK_WEBHOOK: ${{ inputs.webhook-url }} SLACK_COLOR: ${{ steps.settings.outputs.color }} From b65edddb69356276eedae4dc70819518aa1885de Mon Sep 17 00:00:00 2001 From: Lucas Bedatty Date: Thu, 26 Mar 2026 18:22:37 -0300 Subject: [PATCH 3/3] fix(slack): pass untrusted contexts through env vars and fix trailing whitespace --- .github/workflows/slack-notify.yml | 83 ++++++++++++++++-------------- 1 file changed, 43 insertions(+), 40 deletions(-) diff --git a/.github/workflows/slack-notify.yml b/.github/workflows/slack-notify.yml index 94169493..cad19139 100644 --- a/.github/workflows/slack-notify.yml +++ b/.github/workflows/slack-notify.yml @@ -45,8 +45,10 @@ jobs: steps: - name: Check if Slack webhook is configured id: check_webhook + env: + SLACK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} run: | - if [ -z "${{ secrets.SLACK_WEBHOOK_URL }}" ]; then + if [ -z "$SLACK_URL" ]; then echo "skip=true" >> "$GITHUB_OUTPUT" echo "āš ļø SLACK_WEBHOOK_URL not configured - skipping notification" else @@ -57,10 +59,10 @@ jobs: - name: Determine notification settings if: steps.check_webhook.outputs.skip != 'true' id: settings + env: + INPUT_STATUS: ${{ inputs.status }} run: | - STATUS="${{ inputs.status }}" - - case "$STATUS" in + case "$INPUT_STATUS" in success) COLOR="good" EMOJI="āœ…" @@ -79,10 +81,10 @@ jobs: *) COLOR="warning" EMOJI="āš ļø" - STATUS_TEXT="completed with status: $STATUS" + STATUS_TEXT="completed with status: $INPUT_STATUS" ;; esac - + { echo "color=$COLOR" echo "emoji=$EMOJI" @@ -92,50 +94,51 @@ jobs: - name: Build notification message if: steps.check_webhook.outputs.skip != 'true' id: message + env: + INPUT_WORKFLOW_NAME: ${{ inputs.workflow_name }} + INPUT_STATUS: ${{ inputs.status }} + INPUT_FAILED_JOBS: ${{ inputs.failed_jobs }} + INPUT_CUSTOM_MESSAGE: ${{ inputs.custom_message }} + STATUS_TEXT: ${{ steps.settings.outputs.status_text }} + EMOJI: ${{ steps.settings.outputs.emoji }} + GH_REPO: ${{ github.repository }} + GH_ACTOR: ${{ github.actor }} + GH_SERVER: ${{ github.server_url }} + GH_RUN_ID: ${{ github.run_id }} + GH_SHA: ${{ github.sha }} + GH_EVENT_NAME: ${{ github.event_name }} + GH_HEAD_REF: ${{ github.head_ref }} + GH_REF_NAME: ${{ github.ref_name }} + GH_PR_NUMBER: ${{ github.event.pull_request.number }} run: | - REPO="${{ github.repository }}" - REPO_NAME="${REPO##*/}" - WORKFLOW="${{ inputs.workflow_name }}" - STATUS="${{ inputs.status }}" - STATUS_TEXT="${{ steps.settings.outputs.status_text }}" - EMOJI="${{ steps.settings.outputs.emoji }}" - ACTOR="${{ github.actor }}" - RUN_URL="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" - COMMIT_SHA="${{ github.sha }}" - SHORT_SHA="${COMMIT_SHA:0:7}" - + REPO_NAME="${GH_REPO##*/}" + SHORT_SHA="${GH_SHA:0:7}" + RUN_URL="${GH_SERVER}/${GH_REPO}/actions/runs/${GH_RUN_ID}" + # Handle different event types for ref info - if [ "${{ github.event_name }}" = "pull_request" ]; then - REF="PR #${{ github.event.pull_request.number }}" - BRANCH="${{ github.head_ref }}" + if [ "$GH_EVENT_NAME" = "pull_request" ]; then + BRANCH="$GH_HEAD_REF" else - REF="${{ github.ref_name }}" - BRANCH="$REF" + BRANCH="$GH_REF_NAME" fi - + # Build message - MESSAGE="$EMOJI *$WORKFLOW* $STATUS_TEXT in *$REPO_NAME*" - + MESSAGE="$EMOJI *$INPUT_WORKFLOW_NAME* $STATUS_TEXT in *$REPO_NAME*" + # Add failed jobs info if failure - FAILED_JOBS="${{ inputs.failed_jobs }}" - if [ "$STATUS" = "failure" ] && [ -n "$FAILED_JOBS" ]; then - MESSAGE="$MESSAGE\nšŸ’„ *Failed jobs:* $FAILED_JOBS" + if [ "$INPUT_STATUS" = "failure" ] && [ -n "$INPUT_FAILED_JOBS" ]; then + MESSAGE="$MESSAGE\nšŸ’„ *Failed jobs:* $INPUT_FAILED_JOBS" fi - - # Add author - MESSAGE="$MESSAGE\nšŸ‘¤ *Author:* $ACTOR" - - # Add ref and commit info + + MESSAGE="$MESSAGE\nšŸ‘¤ *Author:* $GH_ACTOR" MESSAGE="$MESSAGE\nšŸ“Œ *Branch:* \`$BRANCH\` | *Commit:* \`$SHORT_SHA\`" - - # Add custom message if provided - if [ -n "${{ inputs.custom_message }}" ]; then - MESSAGE="$MESSAGE\n\n${{ inputs.custom_message }}" + + if [ -n "$INPUT_CUSTOM_MESSAGE" ]; then + MESSAGE="$MESSAGE\n\n$INPUT_CUSTOM_MESSAGE" fi - - # Add link to workflow run + MESSAGE="$MESSAGE\n\n<$RUN_URL|šŸ”— View Workflow Run>" - + { echo "message<