TryGhost
OSS
Ghost
Sign in / Sign up
Open main menu
Ghost
GitHub
Overview
Runs
Analytics
Loading workspace stats
Loading workspace insights...
Statistics interval
7 days
30 days
Latest CI Pipeline Executions
Status
Fix filter
Filter
Fuzzy
Filter range
Sort by
Sort by
Start time
Sort ascending
Sort descending
Succeeded
29180
3789ee32 Fixed shell injection surface and unrestricted refs in CI dispatch lane ref https://github.com/TryGhost/Ghost/pull/29180#discussion_r3545449152 - the job_setup debug step interpolated toJson(github.event) directly into a shell script; with the new workflow_dispatch inputs the event payload became user-controlled text, so it's now passed via env where the shell can't evaluate it (flagged by CodeQL) - the dispatch publish lane accepted any ref, letting anyone with workflow-run permission publish an unreviewed branch with an OIDC token; it now only runs from main or a v* tag and skips on other refs
by Kevin Ansf...
K
Succeeded
29180
9e9843a4 Fixed shell injection surface and unrestricted refs in CI dispatch lane ref https://github.com/TryGhost/Ghost/pull/29180#discussion_r3545449152 - the job_setup debug step interpolated toJson(github.event) directly into a shell script; with the new workflow_dispatch inputs the event payload became user-controlled text, so it's now passed via env where the shell can't evaluate it (flagged by CodeQL) - the dispatch publish lane accepted any ref, letting anyone with workflow-run permission publish an unreviewed branch with an OIDC token; it now only runs from main or a v* tag and skips on other refs
by Kevin Ansf...
K
Succeeded
29180
b458c61f Changed out-of-band Koenig npm publishing to a ci.yml dispatch lane - npm trusted publishing allows one workflow per package, and the Koenig release lane in ci.yml claims that slot; the standalone publish-koenig-package.yml escape hatch could therefore never pass OIDC without manually re-pointing the package's trusted publisher on npmjs.com and back — a step nobody doing an urgent publish will know about or have npm permissions for - moved the escape hatch into ci.yml as a workflow_dispatch trigger so it publishes under the same workflow filename and trusted publisher: dispatch runs skip job_setup (the root of the CI job graph) so only publish_koenig_packages runs, with job_required_tests gated explicitly since it uses always() - dispatch runs get a per-run workflow concurrency group so they can't cancel (or be cancelled by) a regular CI run on the same ref; actual publishes stay serialized by the job-level publish-koenig-packages group
by Kevin Ansf...
K
Previous page
Previous
Next
Next page