GHA-135 Properly escape quotes in inputs (#61)

yasen-pavlov-sonarsource · petertrr · web-flow · commit 33cea6aa600a · 2025-11-11T15:00:10.000+01:00
Co-authored-by: Peter Trifanov &lt;peter.trifanov@gmail.com&gt;
diff --git a/.github/workflows/test-create-jira-version.yml b/.github/workflows/test-create-jira-version.yml
@@ -78,6 +78,7 @@ jobs:
           echo "Action should have determined new-version-name as: 1.2.3"
 
       - name: Test with environment variables
+        id: test-env
         uses: ./create-jira-version
         env:
           JIRA_PROJECT_KEY: 'TESTPROJ'
@@ -90,3 +91,21 @@ jobs:
           echo "Test with environment variables:"
           echo "Expected to fail due to missing credentials (which is expected in CI)"
           echo "Action should have determined new-version-name as: 2.0.2"
+
+      - name: Test with special characters in version names
+        id: test-special-chars
+        uses: ./create-jira-version
+        with:
+          jira-project-key: 'TESTPROJ'
+          jira-version-name: '1.2.3-"beta"'
+          jira-new-version-name: '1.2.4-"rc1"'
+          use-jira-sandbox: 'true'
+        continue-on-error: true
+
+      - name: Verify special characters test
+        run: |
+          echo "Test with special characters in version names:"
+          echo "Expected to fail due to missing credentials (which is expected in CI)"
+          echo "Action should handle version names with quotes without syntax errors"
+          echo "Test outcome: ${{ steps.test-special-chars.outcome }}"
+          echo "✓ Action handles quotes and special characters in version names"
diff --git a/.github/workflows/test-publish-github-release.yml b/.github/workflows/test-publish-github-release.yml
@@ -104,28 +104,55 @@ jobs:
           release-version: "test-v1.0.2-${{ github.run_number }}"
           release-notes: |
             # Test Release Notes
-            
+
             This is a test release with markdown content:
             - Feature 1
             - Feature 2
-            
+
             ## Bug Fixes
             - Fix 1
             - Fix 2
           draft: "true"
         continue-on-error: true
 
+      - name: Test With Release Notes Containing Quotes
+        id: test-release-notes-quotes
+        uses: ./publish-github-release
+        with:
+          github-token: ${{ github.token }}
+          release-version: "test-v1.0.3-${{ github.run_number }}"
+          release-notes: |
+            # Release notes - Test - 1.0.3
+
+            ### New Feature
+            [SONARIAC-2361](https://example.com) S4830: Server certificates should be verified during SSL/TLS connections
+            [SONARIAC-2366](https://example.com) S6573: Expanded filenames should not become options
+
+            ### Improvement
+            [SONARIAC-2230](https://example.com) S6596 should have different message when tag is present but not compliant
+            [SONARIAC-2301](https://example.com) Improve "ShellCmdDetector" performance
+
+            ### Bug
+            [SONARIAC-2354](https://example.com) Exclude line separators from "shell" text ranges
+            [TEST-123](https://example.com) Fix issue with "quotes" in title
+            [TEST-456](https://example.com) Handle 'single quotes' and "double quotes" correctly
+            [TEST-789](https://example.com) Test with "command -f" in title
+          draft: "true"
+        continue-on-error: true
+
       - name: Verify Parameter Tests
         run: |
           echo "Parameter test results:"
           echo "Version input test outcome: ${{ steps.test-version-input.outcome }}"
           echo "Custom branch test outcome: ${{ steps.test-custom-branch.outcome }}"
           echo "Release notes test outcome: ${{ steps.test-release-notes.outcome }}"
-          
+          echo "Release notes with quotes test outcome: ${{ steps.test-release-notes-quotes.outcome }}"
+
           # These tests might fail due to workflow triggering issues in test environment
           # We're testing that the parameters are accepted without syntax errors
           echo "✓ Parameter tests completed without syntax errors"
           echo "✓ Action accepts all parameter combinations"
+          echo "✓ Action handles quotes and special characters in release notes"
 
   environment-variable-tests:
     name: Test Environment Variable Usage
diff --git a/.github/workflows/test-update-analyzer.yml b/.github/workflows/test-update-analyzer.yml
@@ -127,15 +127,35 @@ jobs:
           pull-request-body: "Test PR body"
         continue-on-error: true
 
+      - name: Test With Special Characters in Inputs
+        id: test-special-chars
+        uses: ./update-analyzer
+        with:
+          release-version: '1.0.0.1'
+          ticket-key: "SONAR-12345"
+          plugin-name: 'test-plugin'
+          plugin-artifacts: 'java,kotlin,"scala"'
+          secret-name: "test-secret"
+          pull-request-body: |
+            Update analyzer to version 1.0.0.1
+
+            ### Changes
+            - Fix issue with "quotes" in parser
+            - Handle 'single quotes' correctly
+            - Improve "double quoted" strings
+        continue-on-error: true
+
       - name: Verify Parameter Tests
         run: |
           echo "Input parameter test results:"
           echo "SONAR ticket test outcome: ${{ steps.test-sonar-ticket.outcome }}"
           echo "SC ticket test outcome: ${{ steps.test-sc-ticket.outcome }}"
           echo "Plugin artifacts test outcome: ${{ steps.test-plugin-artifacts.outcome }}"
           echo "Optional parameters test outcome: ${{ steps.test-optional-params.outcome }}"
-          
+          echo "Special characters test outcome: ${{ steps.test-special-chars.outcome }}"
+
           # All tests are expected to fail due to missing vault access
           # We're testing that the parameters are accepted and don't cause syntax errors
           echo "✓ All parameter tests completed without syntax errors"
           echo "✓ Action accepts all valid input parameter combinations"
+          echo "✓ Action handles quotes and special characters in inputs"
diff --git a/.github/workflows/test-update-release-ticket-status.yml b/.github/workflows/test-update-release-ticket-status.yml
@@ -38,3 +38,44 @@ jobs:
         run: |
           cd update-release-ticket-status
           python -m pytest test_update_release_ticket.py -v --cov=update_release_ticket --cov-report=term-missing
+
+  integration-tests:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Test with basic inputs
+        id: test-basic
+        uses: ./update-release-ticket-status
+        with:
+          release-ticket-key: 'REL-1234'
+          status: 'In Progress'
+          use-jira-sandbox: 'true'
+        continue-on-error: true
+
+      - name: Verify basic test
+        run: |
+          echo "Test with basic inputs:"
+          echo "Expected to fail due to missing credentials (which is expected in CI)"
+          echo "Test outcome: ${{ steps.test-basic.outcome }}"
+
+      - name: Test with special characters in inputs
+        id: test-special-chars
+        uses: ./update-release-ticket-status
+        with:
+          release-ticket-key: 'REL-5678'
+          status: 'In "Review"'
+          assignee: 'test.user@example.com'
+          use-jira-sandbox: 'true'
+        continue-on-error: true
+
+      - name: Verify special characters test
+        run: |
+          echo "Test with special characters in inputs:"
+          echo "Expected to fail due to missing credentials (which is expected in CI)"
+          echo "Action should handle status values with quotes without syntax errors"
+          echo "Test outcome: ${{ steps.test-special-chars.outcome }}"
+          echo "✓ Action handles quotes and special characters in inputs"
diff --git a/create-jira-version/action.yml b/create-jira-version/action.yml
@@ -52,22 +52,28 @@ runs:
       id: determine-current-version
       if: ${{ !inputs.jira-new-version-name }}
       shell: bash
+      env:
+        INPUT_VERSION: ${{ inputs.jira-version-name || env.JIRA_VERSION_NAME }}
+        FETCHED_VERSION: ${{ steps.get-jira-version.outputs.jira-version-name }}
       run: |
-        if [[ -n "${{ inputs.jira-version-name || env.JIRA_VERSION_NAME }}" ]]; then
-          CURRENT_VERSION="${{ inputs.jira-version-name || env.JIRA_VERSION_NAME }}"
+        if [[ -n "$INPUT_VERSION" ]]; then
+          CURRENT_VERSION="$INPUT_VERSION"
         else
-          CURRENT_VERSION="${{ steps.get-jira-version.outputs.jira-version-name }}"
+          CURRENT_VERSION="$FETCHED_VERSION"
         fi
         echo "current-version-name=$CURRENT_VERSION" >> $GITHUB_OUTPUT
 
     - name: Determine New Jira Version
       id: determine-new-version-name
       shell: bash
+      env:
+        NEW_VERSION_INPUT: ${{ inputs.jira-new-version-name }}
+        CURRENT_VERSION_OUTPUT: ${{ steps.determine-current-version.outputs.current-version-name }}
       run: |
-        if [[ -n "${{ inputs.jira-new-version-name }}" ]]; then
-          NEW_VERSION="${{ inputs.jira-new-version-name }}"
+        if [[ -n "$NEW_VERSION_INPUT" ]]; then
+          NEW_VERSION="$NEW_VERSION_INPUT"
         else
-          NEW_VERSION=$(echo "${{ steps.determine-current-version.outputs.current-version-name }}" | awk -F. '{$NF+=1; print}' OFS='.')
+          NEW_VERSION=$(echo "$CURRENT_VERSION_OUTPUT" | awk -F. '{$NF+=1; print}' OFS='.')
         fi
         echo "new-version-name=$NEW_VERSION" >> $GITHUB_OUTPUT
 
@@ -79,16 +85,17 @@ runs:
         JIRA_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
         JIRA_PROD_URL: "https://sonarsource.atlassian.net/"
         JIRA_SANDBOX_URL: "https://sonarsource-sandbox-608.atlassian.net/"
+        PROJECT_KEY_INPUT: ${{ inputs.jira-project-key || env.JIRA_PROJECT_KEY }}
+        VERSION_NAME: ${{ steps.determine-new-version-name.outputs.new-version-name }}
+        JIRA_URL: ${{ ((inputs.use-jira-sandbox || env.USE_JIRA_SANDBOX) == 'true') && env.JIRA_SANDBOX_URL || env.JIRA_PROD_URL }}
       run: |
-        PROJECT_KEY="${{ inputs.jira-project-key || env.JIRA_PROJECT_KEY }}"
-        
-        if [[ -z "$PROJECT_KEY" ]]; then
+        if [[ -z "$PROJECT_KEY_INPUT" ]]; then
           echo "::error::Both jira-project-key input and JIRA_PROJECT_KEY environment variable are missing. One must be provided."
           exit 1
         fi
 
         python ${{ github.action_path }}/create_jira_version.py \
-          --project-key="$PROJECT_KEY" \
-          --version-name="${{ steps.determine-new-version-name.outputs.new-version-name }}" \
-          --jira-url="${{ ((inputs.use-jira-sandbox || env.USE_JIRA_SANDBOX) == 'true') && env.JIRA_SANDBOX_URL || env.JIRA_PROD_URL }}" \
+          --project-key="$PROJECT_KEY_INPUT" \
+          --version-name="$VERSION_NAME" \
+          --jira-url="$JIRA_URL" \
           >> $GITHUB_OUTPUT
diff --git a/publish-github-release/action.yml b/publish-github-release/action.yml
@@ -48,21 +48,25 @@ runs:
         echo "VALIDATED_VERSION=$VERSION" >> $GITHUB_ENV
 
     - name: Prepare Release Notes
+      if: ${{ inputs.release-notes != '' }}
       shell: bash
       run: |
-        if [[ -n "${RELEASE_NOTES}" ]]; then
-          echo "${RELEASE_NOTES}" > release-notes.md
-        else
-          echo "" > release-notes.md
-        fi
+        echo "${RELEASE_NOTES}" > release-notes.md
       env:
         RELEASE_NOTES: ${{ inputs.release-notes }}
 
+    - name: Prepare Empty Release Notes
+      if: ${{ inputs.release-notes == '' }}
+      shell: bash
+      run: |
+        echo "" > release-notes.md
+
     - name: Create Release with GitHub CLI
       id: create-release
       shell: bash
       env:
         GITHUB_TOKEN: ${{ inputs.github-token }}
+        HAS_RELEASE_NOTES: ${{ inputs.release-notes != '' }}
       run: |
         # Check if a release with the same title already exists
         EXPECTED_TITLE="$VALIDATED_VERSION"
@@ -104,7 +108,7 @@ runs:
 
         # Build the gh release create command
         NOTES_FLAG=""
-        if [[ -n "${{ inputs.release-notes }}" ]]; then
+        if [[ "$HAS_RELEASE_NOTES" == "true" ]]; then
           NOTES_FLAG="--notes-file release-notes.md"
         fi
 
diff --git a/update-analyzer/action.yml b/update-analyzer/action.yml
@@ -75,24 +75,28 @@ runs:
 
     - name: Update analyzer version in build file
       shell: bash
+      env:
+        PLUGIN_ARTIFACTS: ${{ inputs.plugin-artifacts }}
+        PLUGIN_NAME: ${{ inputs.plugin-name }}
+        RELEASE_VERSION: ${{ inputs.release-version }}
       run: |
         set -euo pipefail
         # Prepare the list of plugins to update
-        if [[ -n "${{ inputs.plugin-artifacts }}" ]]; then
-          echo "Using plugin-artifacts: ${{ inputs.plugin-artifacts }}"
-          IFS=',' read -ra PLUGINS <<< "${{ inputs.plugin-artifacts }}"
+        if [[ -n "$PLUGIN_ARTIFACTS" ]]; then
+          echo "Using plugin-artifacts: $PLUGIN_ARTIFACTS"
+          IFS=',' read -ra PLUGINS <<< "$PLUGIN_ARTIFACTS"
         else
-          echo "Using plugin-name: ${{ inputs.plugin-name }}"
-          PLUGINS=("${{ inputs.plugin-name }}")
+          echo "Using plugin-name: $PLUGIN_NAME"
+          PLUGINS=("$PLUGIN_NAME")
         fi
-        
+
         # Update each plugin
         for plugin in "${PLUGINS[@]}"; do
           plugin=$(echo "$plugin" | xargs)
           echo "Updating analyzer version in ${{ env.BUILD_GRADLE_FILE }} for plugin $plugin"
-          sed -i "s/\(:sonar-$plugin.*-plugin:\)[0-9.]*/\1${{ inputs.release-version }}/g" ${{ env.BUILD_GRADLE_FILE }}
+          sed -i "s/\(:sonar-$plugin.*-plugin:\)[0-9.]*/\1$RELEASE_VERSION/g" ${{ env.BUILD_GRADLE_FILE }}
         done
-        
+
         echo "Showing diff:"
         git --no-pager diff ${{ env.BUILD_GRADLE_FILE }}
 
diff --git a/update-release-ticket-status/action.yml b/update-release-ticket-status/action.yml
@@ -40,19 +40,23 @@ runs:
     - name: Run Python Script to Update Ticket
       id: run_python_script
       shell: bash
+      env:
+        JIRA_USER: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
+        JIRA_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
+        JIRA_PROD_URL: "https://sonarsource.atlassian.net/"
+        JIRA_SANDBOX_URL: "https://sonarsource-sandbox-608.atlassian.net/"
+        ASSIGNEE_INPUT: ${{ inputs.assignee }}
+        TICKET_KEY: ${{ inputs.release-ticket-key }}
+        STATUS: ${{ inputs.status }}
+        JIRA_URL: ${{ ((inputs.use-jira-sandbox || env.USE_JIRA_SANDBOX) == 'true') && env.JIRA_SANDBOX_URL || env.JIRA_PROD_URL }}
       run: |
         ASSIGNEE_FLAG=""
-        if [[ -n "${{ inputs.assignee }}" ]]; then
-          ASSIGNEE_FLAG="--assignee=${{ inputs.assignee }}"
+        if [[ -n "$ASSIGNEE_INPUT" ]]; then
+          ASSIGNEE_FLAG="--assignee=$ASSIGNEE_INPUT"
         fi
 
         python ${{ github.action_path }}/update_release_ticket.py \
-          --ticket-key="${{ inputs.release-ticket-key }}" \
-          --status="${{ inputs.status }}" \
+          --ticket-key="$TICKET_KEY" \
+          --status="$STATUS" \
           ${ASSIGNEE_FLAG} \
-          --jira-url="${{ ((inputs.use-jira-sandbox || env.USE_JIRA_SANDBOX) == 'true') && env.JIRA_SANDBOX_URL || env.JIRA_PROD_URL }}"
-      env:
-        JIRA_USER: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
-        JIRA_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
-        JIRA_PROD_URL: "https://sonarsource.atlassian.net/"
-        JIRA_SANDBOX_URL: "https://sonarsource-sandbox-608.atlassian.net/"
+          --jira-url="$JIRA_URL"
