fix(releases): improve commit categorization and ci security

[waleedlatif1]

Summary

• Fix release script to prioritize conventional commit prefixes (fix/feat/improvement) over keyword matching
• Fix CI to pass commit message through env var to prevent command injection

Type of Change

• Bug fix

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
docs	Ready	Preview, Comment	Jan 25, 2026 6:28am

[greptile-apps]

Greptile Overview

Greptile Summary

This PR addresses two important issues:

Security fix: Prevented command injection vulnerability in CI workflow by passing commit message through environment variable (COMMIT_MSG) instead of inline string interpolation. Also replaced ${{ github.ref }} with $GITHUB_REF for consistency.

Commit categorization improvement: Updated release script to prioritize conventional commit prefixes (feat:, fix:, improvement:, etc.) over keyword matching. This ensures commits following the conventional commits standard are categorized correctly before falling back to broad keyword searches.

The changes improve both security posture and release note accuracy.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The changes are well-scoped security and correctness improvements with no breaking changes. The CI security fix addresses a real vulnerability, and the commit categorization logic is improved without affecting existing functionality
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Fixed command injection vulnerability by passing commit message through environment variable instead of inline string interpolation
scripts/create-single-release.ts	Improved commit categorization to prioritize conventional commit format, but has edge case with redundant 'update' keyword check

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant Script as create-single-release.ts
    participant Git as Git Repository
    participant GitHub as GitHub API
    
    Note over GHA: CI Workflow (ci.yml)
    GHA->>GHA: Trigger on push to main/staging
    GHA->>GHA: Set COMMIT_MSG env var (secure)
    GHA->>GHA: Check if COMMIT_MSG matches version pattern
    alt Is release commit on main
        GHA->>GHA: Extract version from commit message
        GHA->>GHA: Set is_release=true
    else Not a release
        GHA->>GHA: Set is_release=false
    end
    
    Note over Script: Release Script Flow
    Script->>Git: Find version commit
    Git-->>Script: Return commit hash & metadata
    Script->>Git: Find previous version commit
    Git-->>Script: Return previous commit hash
    Script->>Git: Get commits between versions
    Git-->>Script: Return commit list
    
    loop For each commit
        Script->>GitHub: Fetch commit details via API
        GitHub-->>Script: Return author, PR number
        Script->>Script: Categorize commit (conventional format priority)
        Note over Script: 1. Check conventional prefixes<br/>2. Check other standard prefixes<br/>3. Fall back to keyword matching
    end
    
    Script->>Script: Group commits by category
    Script->>Script: Generate release notes body
    Script->>GitHub: Create GitHub release
    GitHub-->>Script: Release created successfully

Loading

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}