Skip to content

chore: update release action #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
witmicko merged 4 commits into from
Feb 10, 2026
Merged

chore: update release action #78

witmicko merged 4 commits into from
Feb 10, 2026

Conversation

@witmicko
Copy link
Contributor

@witmicko witmicko commented Feb 9, 2026
edited by cursor bot
Loading

Note

Low Risk
Low risk CI-only change; main risk is unintended releases or missed publishes if the new is-release conditions/action output differ from v1.

Overview
Updates the is-release gate in .github/workflows/main.yml to use MetaMask/action-is-release@v2 and renames the job for clarity.

Release detection is now run on all push events (instead of additionally filtering by commit author), relying on the action’s IS_RELEASE output to decide whether to run publish-release.

Written by Cursor Bugbot for commit 39a48a0. This will update automatically on new commits. Configure here.

@witmicko witmicko requested a review from a team as a code owner February 9, 2026 17:02
@witmicko witmicko changed the title Mich update release action chore: update release action Feb 9, 2026
NicholasEllul
NicholasEllul reviewed Feb 9, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Feb 9, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Feb 9, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

.github/workflows/main.yml
if: github.event_name == 'push' && startsWith(github.event.head_commit.author.name, 'github-actions')
name: Determine whether this is a release merge commit
needs: all-jobs-pass
if: github.event_name == 'push'
Copy link

@cursor cursor bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed commit author check weakens release trigger security

Medium Severity

The is-release job's if condition removed the startsWith(github.event.head_commit.author.name, 'github-actions') guard that previously ensured only commits authored by the github-actions bot (from the create-release-pr workflow) could trigger a release. Now any push to main is evaluated by action-is-release@v2, so a contributor could craft a PR (e.g., bumping package.json version or matching the commit message pattern) and trigger a release upon merge. As noted in the PR discussion, this reduces defense-in-depth around the release pipeline.

Fix in Cursor Fix in Web

@witmicko witmicko merged commit 1cdbc3b into main Feb 10, 2026
20 checks passed
@witmicko witmicko deleted the mich-update-release-action branch February 10, 2026 10:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@NicholasEllul NicholasEllul NicholasEllul approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@witmicko @NicholasEllul