Skip to content
This repository was archived by the owner on May 3, 2026. It is now read-only.

fix: safe JSON construction for Discord webhook notifications#4

Merged
0x5t4l1n merged 1 commit into
mainfrom
copilot/fix-discord-webhook
May 3, 2026
Merged

fix: safe JSON construction for Discord webhook notifications#4
0x5t4l1n merged 1 commit into
mainfrom
copilot/fix-discord-webhook

Conversation

Copilot AI commented May 3, 2026

Copy link
Copy Markdown
Contributor

Discord webhook calls were silently failing whenever commit messages or author names contained ", \, or newlines — all common in the auto-increment workflow — because those values were interpolated raw into a hand-built JSON string.

Changes

  • JSON construction — replaced manual string interpolation with jq -n --arg so all field values are properly escaped regardless of content
  • Injection safetyCOMMIT_MESSAGE and AUTHOR are now passed via env: instead of inline ${{ }} expressions in the shell script, avoiding both shell and JSON injection
  • Failure visibility — changed curl -scurl -sf so HTTP 4xx/5xx responses from Discord surface as step failures rather than silent no-ops
# Before — breaks on any " \ or newline in message
-d "{\"fields\": [{\"value\": \"${COMMIT_MESSAGE}\"}]}"

# After — jq handles all escaping
PAYLOAD=$(jq -n --arg message "$COMMIT_MESSAGE" '{embeds: [{fields: [{value: $message}]}]}')
curl -sf -X POST "$DISCORD_WEBHOOK" -H "Content-Type: application/json" -d "$PAYLOAD"

@0x5t4l1n 0x5t4l1n marked this pull request as ready for review May 3, 2026 06:42
@0x5t4l1n 0x5t4l1n merged commit e0b143f into main May 3, 2026
1 check passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants