Skip to content

PREQ-7260 Validate build number before export in get-build-number#319

Draft
Tim-Pohlmann wants to merge 2 commits into
masterfrom
tim/validate-build-number-export
Draft

PREQ-7260 Validate build number before export in get-build-number#319
Tim-Pohlmann wants to merge 2 commits into
masterfrom
tim/validate-build-number-export

Conversation

@Tim-Pohlmann

Copy link
Copy Markdown

What

Validates BUILD_NUMBER against ^[0-9]+$ in the "Export build number" step, right before exporting it - the same check get_build_number.sh already applies, just at the single point where all three code paths (env passthrough, cache hit, freshly generated) converge.

Why

The "Export build number" step trusts .build_number.txt's content unconditionally on all three paths. get_build_number.sh validates the value it fetches from the repo property, but only on the freshly-generated path - a cache hit (or an externally-provided BUILD_NUMBER env var) skips that check entirely. A corrupted or empty cache entry would flow straight through to BUILD_NUMBER unchecked.

Found this while migrating sonar-scanner-msbuild's CI to GitHub Actions: an empty BUILD_NUMBER there causes scripts/set-version.ps1 to treat the run as a release-version bump - checking out a branch, committing, and opening a PR unattended. Not something this action is responsible for, but the blast radius of a missing one-line check seemed worth closing here rather than only guarding defensively downstream.

@Tim-Pohlmann Tim-Pohlmann requested a review from Copilot July 10, 2026 14:37
@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title Validate build number before export in get-build-number PREQ-7260 Validate build number before export in get-build-number Jul 10, 2026
@hashicorp-vault-sonar-prod

hashicorp-vault-sonar-prod Bot commented Jul 10, 2026

Copy link
Copy Markdown

PREQ-7260

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a safety check in the composite get-build-number GitHub Action to ensure the build number read from .build_number.txt is numeric before exporting it to GITHUB_ENV / GITHUB_OUTPUT, covering cache-hit and env-pass-through paths as well as freshly-generated values.

Changes:

  • Validate BUILD_NUMBER against ^[0-9]+$ immediately before exporting.
  • Emit a GitHub Actions ::error annotation and fail fast when the value is invalid.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread get-build-number/action.yml

@hedinasr hedinasr left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks @Tim-Pohlmann

The "Export build number" step reads .build_number.txt and exports it
as BUILD_NUMBER unconditionally, on all three code paths (env
passthrough, cache hit, freshly generated) - unlike
get_build_number.sh, which validates the value with the same regex
before incrementing it, but only on the freshly-generated path. A
cache entry with unexpected/corrupted content would flow straight
through to BUILD_NUMBER unchecked.

Found while investigating sonar-scanner-msbuild's CI migration: an
empty BUILD_NUMBER there causes scripts/set-version.ps1 to treat the
run as a release-version bump, checking out a branch, committing, and
opening a PR - an unattended side effect disproportionate to a missing
one-line check.
@hedinasr hedinasr force-pushed the tim/validate-build-number-export branch from 3042f87 to a610142 Compare July 14, 2026 07:50
@gitar-bot

gitar-bot Bot commented Jul 14, 2026

Copy link
Copy Markdown
Code Review ✅ Approved

Adds a regex validation for the BUILD_NUMBER export to prevent downstream CI failures from corrupted cache or environment data. No issues found.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change the behavior for this request:

Auto-apply Compact
gitar auto-apply:on         
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants