fix(scripts): apply CI output escaping to infrastructure scripts#369
Merged
WilliamBerryiii merged 3 commits intomainfrom Jan 31, 2026
Merged
fix(scripts): apply CI output escaping to infrastructure scripts#369WilliamBerryiii merged 3 commits intomainfrom
WilliamBerryiii merged 3 commits intomainfrom
Conversation
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #369 +/- ##
==========================================
+ Coverage 52.31% 52.41% +0.09%
==========================================
Files 17 17
Lines 3110 3110
==========================================
+ Hits 1627 1630 +3
+ Misses 1483 1480 -3
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR applies GitHub Actions workflow command escaping to infrastructure scripts and workflows to prevent potential command injection vulnerabilities. The changes ensure that error and warning outputs escape special characters before writing to workflow commands.
Changes:
- Added inline escaping function to dependency-pinning-scan.yml workflow with full property escaping
- Added escaping to error handler outputs in four PowerShell scripts (Generate-PrReference.ps1, Package-Extension.ps1, Prepare-Extension.ps1, Get-VerifiedDownload.ps1)
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/dependency-pinning-scan.yml | Added ConvertTo-GHAEscaped inline function to escape workflow command patterns in dependency violation warnings |
| scripts/dev-tools/Generate-PrReference.ps1 | Added escaping to error handler for GitHub Actions workflow commands |
| scripts/extension/Package-Extension.ps1 | Added escaping to error handler for GitHub Actions workflow commands |
| scripts/extension/Prepare-Extension.ps1 | Added escaping to error handler for GitHub Actions workflow commands |
| scripts/lib/Get-VerifiedDownload.ps1 | Added escaping to error handler for GitHub Actions workflow commands |
auyidi1
approved these changes
Jan 30, 2026
Apply ConvertTo-GitHubActionsEscaped to prevent workflow command injection. Closes #366 🔒 - Generated by Copilot
- replace backslash escapes with PowerShell backtick escapes - fix Generate-PrReference.ps1, Get-VerifiedDownload.ps1 - fix Prepare-Extension.ps1, Package-Extension.ps1 🔧 - Generated by Copilot
1e8f168 to
7676022
Compare
- import CIHelpers.psm1 in infrastructure scripts - replace inline escaping with Write-CIAnnotation - remove redundant platform detection boilerplate 🔧 - Generated by Copilot
WilliamBerryiii
added a commit
that referenced
this pull request
Feb 4, 2026
🤖 I have created a release *beep* *boop* --- ## [2.1.0](hve-core-v2.0.1...hve-core-v2.1.0) (2026-02-04) ### ✨ Features * add PowerShell script to validate copyright headers ([#370](#370)) ([92fce72](92fce72)) * **docs:** Replace deprecated chat.modeFilesLocations with chat.agentFilesLocations ([#413](#413)) ([67fb2ab](67fb2ab)) * **scripts:** add CIHelpers module for CI platform abstraction ([#348](#348)) ([23e7a7e](23e7a7e)) * **scripts:** add SecurityHelpers and CIHelpers modules ([#354](#354)) ([b93d990](b93d990)) * **workflow:** add copilot-setup-steps.yml for Coding Agent environment ([#398](#398)) ([085a38b](085a38b)) ### 🐛 Bug Fixes * **build:** increase release-please search depths to prevent 250-commit window issue ([#342](#342)) ([4bb857d](4bb857d)) * **build:** patch @isaacs/brace-expansion critical vulnerability ([#404](#404)) ([292ef51](292ef51)) * **ci:** disable errexit during spell check exit code capture ([#356](#356)) ([ed6ed46](ed6ed46)) * **ci:** exclude extension/README.md from frontmatter validation ([#362](#362)) ([e0d7378](e0d7378)) * exclude test fixtures from markdown link checker ([#345](#345)) ([58147f9](58147f9)) * **extension:** resolve path resolution issues in Windows/WSL environments ([#407](#407)) ([8529725](8529725)) * **linting:** use Write-Error instead of Write-Host for error output ([#377](#377)) ([2ca766b](2ca766b)) * **scripts:** apply CI output escaping to infrastructure scripts ([#369](#369)) ([251021e](251021e)) * **scripts:** apply CI output escaping to linting scripts ([#367](#367)) ([fdd75ed](fdd75ed)) * **scripts:** apply CI output escaping to security scripts ([#368](#368)) ([1237c9a](1237c9a)) * **scripts:** ensure reliable array count operations in linting and security scripts ([#395](#395)) ([de43e73](de43e73)) * **scripts:** standardize PowerShell requirements header block ([#385](#385)) ([6e26282](6e26282)) ### 📚 Documentation * add doc-ops agent to CUSTOM-AGENTS reference ([#358](#358)) ([15f7185](15f7185)) * add memory agent to CUSTOM-AGENTS.md ([#359](#359)) ([d92c4e1](d92c4e1)) * add missing agents to extension README ([#357](#357)) ([d58541c](d58541c)) * add task-reviewer agent to CUSTOM-AGENTS.md ([#363](#363)) ([0efb722](0efb722)) * **contributing:** add copyright header guidelines ([#382](#382)) ([881a567](881a567)) * **scripts:** update README.md with missing directory sections ([#355](#355)) ([ac2966f](ac2966f)) ### ♻️ Refactoring * **scripts:** align linting and tests with CIHelpers ([#401](#401)) ([3587e6a](3587e6a)) * **scripts:** extract Invoke-PackageExtension for testability ([#343](#343)) ([858a1be](858a1be)) * **scripts:** extract orchestration function for Prepare-Extension testability ([#344](#344)) ([9fd4bd1](9fd4bd1)) * **scripts:** replace raw GITHUB_OUTPUT with Set-CIOutput in Package-Extension ([#391](#391)) ([74a30bb](74a30bb)) * **security:** move DependencyViolation and ComplianceReport to shared module ([#378](#378)) ([1dd31ad](1dd31ad)) ### 🔧 Maintenance * add copyright headers to PowerShell scripts ([#381](#381)) ([d19c9b3](d19c9b3)) * add copyright headers to shell scripts ([#380](#380)) ([284b456](284b456)) * **deps-dev:** bump cspell from 9.6.1 to 9.6.2 in the npm-dependencies group ([#387](#387)) ([23c2b9f](23c2b9f)) * **workflows:** simplify Copilot setup steps workflow triggers ([#414](#414)) ([492a7b1](492a7b1)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: hve-core-release-please[bot] <254602402+hve-core-release-please[bot]@users.noreply.github.com> Co-authored-by: Bill Berry <wberry@microsoft.com>
This was referenced Feb 4, 2026
This was referenced Feb 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix(scripts): apply CI output escaping to infrastructure scripts
Description
Applied GitHub Actions workflow command escaping to infrastructure scripts and workflows to prevent potential command injection vulnerabilities. All error and warning outputs now escape special characters (
%,\r,\n,::) before writing to workflow commands.ConvertTo-GHAEscapedfunction with full property escaping for file paths and message content in violation warningsRelated Issue(s)
Closes #366
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md)Other:
.ps1,.sh,.py)Sample Prompts (for AI Artifact Contributions)
N/A - This PR modifies infrastructure scripts and workflows, not AI artifacts.
Testing
Verified escaping pattern matches GitHub's official
@actions/coreimplementation. Changes are localized to error/warning output paths and do not affect script logic.Checklist
Required Checks
AI Artifact Contributions
N/A
Required Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run lint:md-linksnpm run lint:psSecurity Considerations
Additional Notes
Escaping pattern follows GitHub's official
@actions/coreimplementation:%→%25(must be first)\r→%0D\n→%0A::→%3A%3AProperty values (file paths) additionally escape
:→%3Aand,→%2C.🔒 - Generated by Copilot