Skip to content
This repository was archived by the owner on May 3, 2026. It is now read-only.

fix: safe JSON construction for Discord webhook notifications#4

Merged
0x5t4l1n merged 1 commit into
mainfrom
copilot/fix-discord-webhook
May 3, 2026
Merged

fix: safe JSON construction for Discord webhook notifications#4
0x5t4l1n merged 1 commit into
mainfrom
copilot/fix-discord-webhook

Conversation

Copilot AI commented May 3, 2026

Copy link
Copy Markdown
Contributor

Discord webhook calls were silently failing whenever commit messages or author names contained ", \, or newlines — all common in the auto-increment workflow — because those values were interpolated raw into a hand-built JSON string.

Changes

  • JSON construction — replaced manual string interpolation with jq -n --arg so all field values are properly escaped regardless of content
  • Injection safetyCOMMIT_MESSAGE and AUTHOR are now passed via env: instead of inline ${{ }} expressions in the shell script, avoiding both shell and JSON injection
  • Failure visibility — changed curl -scurl -sf so HTTP 4xx/5xx responses from Discord surface as step failures rather than silent no-ops
# Before — breaks on any " \ or newline in message
-d "{\"fields\": [{\"value\": \"${COMMIT_MESSAGE}\"}]}"

# After — jq handles all escaping
PAYLOAD=$(jq -n --arg message "$COMMIT_MESSAGE" '{embeds: [{fields: [{value: $message}]}]}')
curl -sf -X POST "$DISCORD_WEBHOOK" -H "Content-Type: application/json" -d "$PAYLOAD"

@0x5t4l1n 0x5t4l1n marked this pull request as ready for review May 3, 2026 06:42
@0x5t4l1n 0x5t4l1n merged commit e0b143f into main May 3, 2026
1 check passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

@0x5t4l1n 0x5t4l1n

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@0x5t4l1n