Skip to content

chore: update release action #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
witmicko merged 4 commits into from
Feb 10, 2026
Merged

chore: update release action #78

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6c8b164
chore: bump release action to match other repos
witmicko Feb 9, 2026
be32974
chore: bump release action to match other repos
witmicko Feb 9, 2026
9df4b8c
Merge branch 'main' into mich-update-release-action
witmicko Feb 9, 2026
39a48a0
remove commit regex check, updated needed id
witmicko Feb 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 5 additions & 9 deletions .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,19 +62,15 @@ jobs:
fi

is-release:
# Filtering by `push` events ensures that we only release from the `main` branch, which is a
# requirement for our npm publishing environment.
# The commit author should always be 'github-actions' for releases created by the
# 'create-release-pr' workflow, so we filter by that as well to prevent accidentally
# triggering a release.
if: github.event_name == 'push' && startsWith(github.event.head_commit.author.name, 'github-actions')
name: Determine whether this is a release merge commit
needs: all-jobs-pass
if: github.event_name == 'push'
Copy link

@cursor cursor bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed commit author check weakens release trigger security

Medium Severity

The is-release job's if condition removed the startsWith(github.event.head_commit.author.name, 'github-actions') guard that previously ensured only commits authored by the github-actions bot (from the create-release-pr workflow) could trigger a release. Now any push to main is evaluated by action-is-release@v2, so a contributor could craft a PR (e.g., bumping package.json version or matching the commit message pattern) and trigger a release upon merge. As noted in the PR discussion, this reduces defense-in-depth around the release pipeline.

Fix in Cursor Fix in Web

runs-on: ubuntu-latest
outputs:
IS_RELEASE: ${{ steps.is-release.outputs.IS_RELEASE }}
runs-on: ubuntu-latest
steps:
- uses: MetaMask/action-is-release@v1
id: is-release
- id: is-release
uses: MetaMask/action-is-release@v2

publish-release:
needs: is-release
Expand Down
Loading