From 7fb09c40d8146513661e6550848b7ee3b1fa0324 Mon Sep 17 00:00:00 2001 From: An Phan Date: Sun, 24 May 2026 10:42:43 +0200 Subject: [PATCH 1/3] ci: allow workflow_dispatch on the release workflow --- .github/workflows/release.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3197b77..551e235 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,6 +3,12 @@ on: push: tags: - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10 + workflow_dispatch: + inputs: + koel_version: + description: 'Koel release tag to build against (e.g. v9.4.0). Required when triggered manually.' + required: true + type: string permissions: read-all @@ -39,9 +45,13 @@ jobs: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_PASSWORD }} - - name: Get version from tag + - name: Resolve version id: version - run: echo "VERSION=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT" + # Use the dispatch input when triggered manually; fall back to the pushed tag name. + run: | + REF="${{ inputs.koel_version || github.ref_name }}" + echo "VERSION=${REF#v}" >> "$GITHUB_OUTPUT" + echo "TAG=${REF}" >> "$GITHUB_OUTPUT" - name: Build and push the production image uses: docker/build-push-action@v7 @@ -49,3 +59,5 @@ jobs: push: true tags: phanan/koel:latest,phanan/koel:${{ steps.version.outputs.VERSION }} platforms: linux/amd64,linux/arm64,linux/arm/v7 + build-args: | + KOEL_VERSION_REF=${{ steps.version.outputs.TAG }} From 64741c39e0768ea89e981db5690f7faefeeaf4eb Mon Sep 17 00:00:00 2001 From: An Phan Date: Sun, 24 May 2026 10:53:17 +0200 Subject: [PATCH 2/3] fix: harden Resolve version against template injection --- .github/workflows/release.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 551e235..fb7bc8f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,9 +47,13 @@ jobs: - name: Resolve version id: version - # Use the dispatch input when triggered manually; fall back to the pushed tag name. + # Pass template values through `env:` rather than expanding into the shell script directly, + # so a malicious dispatch input can't inject commands. $GITHUB_REF_NAME is already in the + # runner's environment by default; only KOEL_VERSION needs explicit binding here. + env: + KOEL_VERSION: ${{ inputs.koel_version }} run: | - REF="${{ inputs.koel_version || github.ref_name }}" + REF="${KOEL_VERSION:-$GITHUB_REF_NAME}" echo "VERSION=${REF#v}" >> "$GITHUB_OUTPUT" echo "TAG=${REF}" >> "$GITHUB_OUTPUT" From 6d46ab163c9bd70f4147efa68f29a655b5658f3e Mon Sep 17 00:00:00 2001 From: An Phan Date: Sun, 24 May 2026 13:19:21 +0200 Subject: [PATCH 3/3] fix: trim comment to one line --- .github/workflows/release.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fb7bc8f..be7acbf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,9 +47,7 @@ jobs: - name: Resolve version id: version - # Pass template values through `env:` rather than expanding into the shell script directly, - # so a malicious dispatch input can't inject commands. $GITHUB_REF_NAME is already in the - # runner's environment by default; only KOEL_VERSION needs explicit binding here. + # env-var indirection to prevent template injection from the dispatch input env: KOEL_VERSION: ${{ inputs.koel_version }} run: |