BUILD-7996: Security fixes

[jayadeep-km-sonarsource]

BUILD-7996: Security fixes

[Copilot]

Pull Request Overview

This PR implements security fixes to prevent command injection vulnerabilities in GitHub Actions workflows and shell scripts by adding input validation and using environment variables instead of direct parameter interpolation.

• Adds version format validation to prevent environment variable injection in shell scripts
• Replaces direct parameter interpolation with environment variables in GitHub Actions steps
• Implements tag format validation for workflow inputs

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
releasability-status/find_version.sh	Adds regex validation for version format to prevent injection attacks
releasability-status/action.yml	Uses environment variables instead of direct step output interpolation
.github/workflows/update-v-branch.yml	Adds tag validation and uses environment variables for safe parameter passing

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[sonarqubecloud]

🤖 Pull Request summary

Updates GitHub workflows with security hardening and input validation.

• Quote GitHub Actions variables in pre-commit workflow to prevent shell injection
• Add tag format validation in update-v-branch workflow with regex check for vX.Y.Z pattern
• Move variables to environment in releasability-status action to avoid direct interpolation
• Add version validation in find_version.sh script to prevent malicious input injection

Review focus: Verify the regex patterns correctly validate expected formats and ensure the security improvements don't break existing functionality with edge cases.

💬 Please send your feedback

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[julien-carsique-sonarsource]

Some inconsistency remains: why using an ENV intermediate in some cases and not in others (like ${{ inputs.optional_checks }})?

Can you clarify the rules that were applied? Not the descriptions that are generated by Copilot and SQ, but the intention, the goal to achieve.
Maybe https://sonarsource.atlassian.net/browse/BUILD-7996?focusedCommentId=823178?

[jayadeep-km-sonarsource]

Hi @julien-carsique-sonarsource , thanks a lot for your review!

The rules are described here.
As per the above policy, using intermediete env var is the recommended approach

Regarding ${{ inputs.optional_checks }} and others, since it was quoted and there was a regex validation before the line, it is not marked as a security issue. I only fixed the issues reported by IST.

You can find the excel sheet and other relevant information in the parent ticket