Harden GITHUB_PATH writes and prerelease API pagination

MariusStorhaug · MariusStorhaug · commit ad4035f772df · 2026-02-17T12:25:29.000+01:00
- Validate MAJOR_VERSION is digits-only before writing to GITHUB_PATH (Linux, macOS, Windows)
- Add per_page=100 to /releases API calls when resolving latest prerelease (Linux, macOS, Windows)
diff --git a/action.yml b/action.yml
@@ -51,7 +51,7 @@ runs:
                         -H "Accept: application/vnd.github+json" \
                         -H "Authorization: Bearer $GITHUB_TOKEN" \
                         -H "X-GitHub-Api-Version: 2022-11-28" \
-                        https://api.github.com/repos/PowerShell/PowerShell/releases |
+                        'https://api.github.com/repos/PowerShell/PowerShell/releases?per_page=100' |
                         jq -r '[.[] | select(.prerelease == true)] | (.[0].tag_name // empty)' | sed 's/^v//'
                     )
                     if [[ -z "$REQUESTED_VERSION" ]]; then
@@ -128,10 +128,14 @@ runs:
         # `shell: pwsh` steps resolve to the version we just installed.
         if [[ "$REQUESTED_VERSION" == *-* ]]; then
           MAJOR_VERSION=$(echo "$REQUESTED_VERSION" | cut -d'.' -f1)
-          INSTALL_DIR="/opt/microsoft/powershell/${MAJOR_VERSION}-preview"
-          if [[ -d "$INSTALL_DIR" ]]; then
-            echo "Adding install directory to GITHUB_PATH: $INSTALL_DIR"
-            echo "$INSTALL_DIR" >> "$GITHUB_PATH"
+          if [[ "$MAJOR_VERSION" =~ ^[0-9]+$ ]]; then
+            INSTALL_DIR="/opt/microsoft/powershell/${MAJOR_VERSION}-preview"
+            if [[ -d "$INSTALL_DIR" ]]; then
+              echo "Adding install directory to GITHUB_PATH: $INSTALL_DIR"
+              echo "$INSTALL_DIR" >> "$GITHUB_PATH"
+            fi
+          else
+            echo "Warning: Computed MAJOR_VERSION ('$MAJOR_VERSION') is invalid; skipping GITHUB_PATH update." >&2
           fi
         fi
 
@@ -159,7 +163,7 @@ runs:
                         -H "Accept: application/vnd.github+json" \
                         -H "Authorization: Bearer $GITHUB_TOKEN" \
                         -H "X-GitHub-Api-Version: 2022-11-28" \
-                        https://api.github.com/repos/PowerShell/PowerShell/releases |
+                        'https://api.github.com/repos/PowerShell/PowerShell/releases?per_page=100' |
                         jq -r '[.[] | select(.prerelease == true)] | (.[0].tag_name // empty)' | sed 's/^v//'
                     )
                     if [[ -z "$REQUESTED_VERSION" ]]; then
@@ -223,10 +227,14 @@ runs:
         # `shell: pwsh` steps resolve to the version we just installed.
         if [[ "$REQUESTED_VERSION" == *-* ]]; then
           MAJOR_VERSION=$(echo "$REQUESTED_VERSION" | cut -d'.' -f1)
-          INSTALL_DIR="/usr/local/microsoft/powershell/${MAJOR_VERSION}-preview"
-          if [[ -d "$INSTALL_DIR" ]]; then
-            echo "Adding install directory to GITHUB_PATH: $INSTALL_DIR"
-            echo "$INSTALL_DIR" >> "$GITHUB_PATH"
+          if [[ "$MAJOR_VERSION" =~ ^[0-9]+$ ]]; then
+            INSTALL_DIR="/usr/local/microsoft/powershell/${MAJOR_VERSION}-preview"
+            if [[ -d "$INSTALL_DIR" ]]; then
+              echo "Adding install directory to GITHUB_PATH: $INSTALL_DIR"
+              echo "$INSTALL_DIR" >> "$GITHUB_PATH"
+            fi
+          else
+            echo "Warning: Computed MAJOR_VERSION ('$MAJOR_VERSION') is invalid; skipping GITHUB_PATH update." >&2
           fi
         fi
 
@@ -253,7 +261,7 @@ runs:
                 'X-GitHub-Api-Version' = '2022-11-28'
             }
             if ($env:PRERELEASE -eq 'true') {
-                $releases = Invoke-RestMethod -Uri 'https://api.github.com/repos/PowerShell/PowerShell/releases' -Headers $headers
+                $releases = Invoke-RestMethod -Uri 'https://api.github.com/repos/PowerShell/PowerShell/releases?per_page=100' -Headers $headers
                 $latestRelease = $releases | Where-Object { $_.prerelease -eq $true } | Select-Object -First 1
                 if (-not $latestRelease) {
                     Write-Host "Error: No prerelease PowerShell releases are available from GitHub."
@@ -390,14 +398,18 @@ runs:
         # install directory (7-preview) is not on the runner's default PATH.
         $isPrerelease = $env:REQUESTED_VERSION -match '-'
         $majorVersion = ($env:REQUESTED_VERSION -split '[.\-]')[0]
-        $installDir = if ($isPrerelease) {
-            "$env:ProgramFiles\PowerShell\$majorVersion-preview"
-        } else {
-            "$env:ProgramFiles\PowerShell\$majorVersion"
-        }
-        if (Test-Path $installDir) {
-            Write-Host "Adding install directory to GITHUB_PATH: $installDir"
-            Add-Content -Path $env:GITHUB_PATH -Value $installDir
+        if ($majorVersion -match '^\d+$') {
+            $installDir = if ($isPrerelease) {
+                "$env:ProgramFiles\PowerShell\$majorVersion-preview"
+            } else {
+                "$env:ProgramFiles\PowerShell\$majorVersion"
+            }
+            if (Test-Path $installDir) {
+                Write-Host "Adding install directory to GITHUB_PATH: $installDir"
+                Add-Content -Path $env:GITHUB_PATH -Value $installDir
+            } else {
+                Write-Host "Warning: Expected install directory not found: $installDir"
+            }
         } else {
-            Write-Host "Warning: Expected install directory not found: $installDir"
+            Write-Host "Warning: Computed major version ('$majorVersion') is invalid; skipping GITHUB_PATH update."
         }
