chore: sanitize github actions workflows

.github/actions/decode_signing_key_action/action.yml

@@ -14,8 +14,18 @@ runs:
   steps:
     # After decoding the secret key, place the file in signing_file_path
     - run: |
+        set -euo pipefail
         umask 077
-        echo "${{inputs.signing_key_file}}" > ~/secretKey.gpg.b64
-        base64 -d ~/secretKey.gpg.b64 > ${{ inputs.signing_file_path }}
-        chmod 600 ${{ inputs.signing_file_path }}
+
+        # Validate signing_file_path to prevent path traversal
+        SIGNING_PATH="${{ inputs.signing_file_path }}"
+        if [[ ! "${SIGNING_PATH}" =~ ^/[a-zA-Z0-9/_.-]+$ ]]; then
+          echo "ERROR: Invalid signing file path format"
+          exit 1
+        fi
+
+        # Safely handle the signing key file
+        echo "${{ inputs.signing_key_file }}" > ~/secretKey.gpg.b64
+        base64 -d ~/secretKey.gpg.b64 > "${SIGNING_PATH}"
+        chmod 600 "${SIGNING_PATH}"
       shell: bash

.github/actions/publish_maven_central/action.yml

@@ -83,14 +83,33 @@ runs:
         SIGNING_KEY_FILE: ${{ inputs.signing_key_file }}
         USE_SNAPSHOT: ${{ inputs.use_snapshot }}
         AUTO_PUBLISH: ${{ inputs.auto_publish }}
+        WORKSPACE_DIR: ${{ github.workspace }}
       run: |
         set -euo pipefail
         echo "Publishing via Central Portal Maven plugin (NMCP) - module :library"
-        if [ ! -d "${{ github.workspace }}/library" ]; then
+
+        # Validate workspace directory path
+        if [[ ! "${WORKSPACE_DIR}" =~ ^/[a-zA-Z0-9/_.-]+$ ]]; then
+          echo "ERROR: Invalid workspace directory path format" >&2
+          exit 1
+        fi
+
+        if [ ! -d "${WORKSPACE_DIR}/library" ]; then
           echo "Error: library directory not found" >&2
           exit 1
         fi
 
+        # Validate boolean inputs
+        if [[ ! "${USE_SNAPSHOT}" =~ ^(true|false)$ ]]; then
+          echo "ERROR: Invalid USE_SNAPSHOT value. Must be 'true' or 'false'" >&2
+          exit 1
+        fi
+
+        if [[ ! "${AUTO_PUBLISH}" =~ ^(true|false)$ ]]; then
+          echo "ERROR: Invalid AUTO_PUBLISH value. Must be 'true' or 'false'" >&2
+          exit 1
+        fi
+
         echo "Importing GPG key for signing"
         gpg --batch --import "${SIGNING_KEY_FILE}"
 
@@ -115,7 +134,14 @@ runs:
           sleep 5
         done
 
-        VERSION=$(grep -o '"sdkVersionName"\s*:\s*"[^"]*"' ${{ github.workspace }}/build.gradle | grep -o '"[^"]*"$' | tr -d '"')
+        VERSION=$(grep -o '"sdkVersionName"\s*:\s*"[^"]*"' "${WORKSPACE_DIR}/build.gradle" | grep -o '"[^"]*"$' | tr -d '"')
+
+        # Validate extracted version format
+        if ! echo "${VERSION}" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$'; then
+          echo "ERROR: Invalid version format extracted from build.gradle: ${VERSION}" >&2
+          exit 1
+        fi
+
         if [ "${USE_SNAPSHOT}" = "true" ]; then
           [[ "${VERSION}" != *-SNAPSHOT ]] && VERSION="${VERSION}-SNAPSHOT"
           echo "Publishing SNAPSHOT version: ${VERSION}"
@@ -138,6 +164,7 @@ runs:
         echo "Library POM has all required Maven Central configuration"
 
         echo "Deploying to Central Portal via Maven plugin"
-        bash -e ./deploy-snapshot-to-central.sh
+        set -euo pipefail
+        ./deploy-snapshot-to-central.sh
 
         echo "NMCP publish finished. Check deployments at https://central.sonatype.com/publishing/deployments"

.github/workflows/release-manual.yml

@@ -53,14 +53,36 @@ jobs:
           signing_key_file: ${{ secrets.SIGNING_KEY_FILE }}
           signing_file_path: ${{ env.SIGNING_KEY_FILE_PATH }}
 
+      - name: Validate version input
+        if: ${{ inputs.version != '' }}
+        run: |
+          # Store input in environment variable for safe handling
+          INPUT_VERSION="${{ inputs.version }}"
+
+          # Validate version format: must be semantic version (e.g., 1.2.3, 1.2.3-beta, 1.2.3-RC1)
+          if ! echo "${INPUT_VERSION}" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9\.]+)?$'; then
+            echo "ERROR: Invalid version format: ${INPUT_VERSION}"
+            echo "Version must match semantic versioning format (e.g., 1.2.3, 1.2.3-beta)"
+            exit 1
+          fi
+
+          # Check length to prevent excessively long inputs
+          if [ ${#INPUT_VERSION} -gt 50 ]; then
+            echo "ERROR: Version string exceeds maximum length of 50 characters"
+            exit 1
+          fi
+
+          echo "VALIDATED_VERSION=${INPUT_VERSION}" >> $GITHUB_ENV
+          echo "Version validated: ${INPUT_VERSION}"
+
       - name: Optionally set version in Gradle
         if: ${{ inputs.version != '' }}
-        run: ./gradlew -PversionParam="${{ inputs.version }}" changeReleaseVersion
+        run: ./gradlew -PversionParam="${VALIDATED_VERSION}" changeReleaseVersion
 
       - name: Determine version
         run: |
-          if [ -n "${{ inputs.version }}" ]; then
-            echo "VERSION=${{ inputs.version }}" >> $GITHUB_ENV
+          if [ -n "${VALIDATED_VERSION:-}" ]; then
+            echo "VERSION=${VALIDATED_VERSION}" >> $GITHUB_ENV
           else
             VERSION=$(grep -o '"sdkVersionName"\s*:\s*"[^"]*"' build.gradle | grep -o '"[^\"]*"$' | tr -d '"')
             echo "VERSION=${VERSION}" >> $GITHUB_ENV
@@ -80,8 +102,9 @@ jobs:
           SIGNING_KEY_PASSWORD: ${{ secrets.SIGNING_KEY_PASSWORD }}
           SIGNING_KEY_FILE: ${{ env.SIGNING_KEY_FILE_PATH }}
         run: |
+          set -euo pipefail
           echo "Running direct deployment script..."
-          bash -e ./deploy-to-maven-central.sh --no-auto-publish
+          ./deploy-to-maven-central.sh --no-auto-publish
 
       - name: Configure Git user
         run: |

.github/workflows/release.yml

@@ -112,8 +112,9 @@ jobs:
           SIGNING_KEY_PASSWORD: ${{ secrets.SIGNING_KEY_PASSWORD }}
           SIGNING_KEY_FILE: ${{ env.SIGNING_KEY_FILE_PATH }}
         run: |
+          set -euo pipefail
           echo "Running direct deployment script..."
-          bash -e ./deploy-to-maven-central.sh --no-auto-publish
+          ./deploy-to-maven-central.sh --no-auto-publish
 
       - name: Cleanup signing key files
         if: always()