braintree · jaxdesmarais · Mar 10, 2026 · Mar 9, 2026
@@ -8,44 +8,73 @@
 env:
   SIGNING_KEY_FILE_PATH: /home/runner/secretKey.gpg
 jobs:
+  validate_version:
+    name: Validate Version Input
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate version input
+        env:
+          INPUT_VERSION: ${{ github.event.inputs.version }}
+        run: |
+          set -euo pipefail
+
+          # Validate version format: x.x.x or x.x.x-betax (e.g., 4.0.0, 4.0.0-beta1)
+          # Uses bash regex to avoid a grep subprocess and (0|[1-9][0-9]*) to prevent leading zeros.
+          PATTERN='^(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-beta[0-9]+)?$'
+          if ! [[ "${INPUT_VERSION}" =~ $PATTERN ]]; then
+            echo "::error::Invalid version format: ${INPUT_VERSION}"
+            echo "::error::Version must be x.x.x or x.x.x-betax (e.g., 4.0.0 or 4.0.0-beta1)"
+            exit 1
+          fi
+
+          # Check length to prevent excessively long inputs
+          if [ ${#INPUT_VERSION} -gt 50 ]; then
+            echo "::error::Version string exceeds maximum length of 50 characters"
+            exit 1
+          fi
+
+          echo "Version validated: ${INPUT_VERSION}"
+
   #First we build
   build_aar:
+    needs: [ validate_version ]
     name: Build
     runs-on: ubuntu-latest
     steps:
      - name: Checkout Repository
        uses: actions/checkout@v2
      - name: Set up Java 8
        uses: actions/setup-java@v3
        with:
          java-version: '8'
          distribution: 'zulu'
      #After decoding the secret key, place the file in ~ /. Gradle/ secring.gpg
      - name: Decode Signing Key
        uses: ./.github/actions/decode_signing_key_action
        with:
          signing_key_file: ${{ secrets.SIGNING_KEY_FILE }}
          signing_file_path: ${{ env.SIGNING_KEY_FILE_PATH }}
      - name: Assemble
        run: ./gradlew --stacktrace assemble
        env:
          SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
           SIGNING_KEY_PASSWORD: ${{ secrets.SIGNING_KEY_PASSWORD }}
           SIGNING_KEY_FILE: ${{ env.SIGNING_KEY_FILE_PATH }}
   unit_test:
+    needs: [ validate_version ]
     name: Unit Tests
     runs-on: ubuntu-latest
     steps:
      - name: Checkout Repository
        uses: actions/checkout@v2
      - name: Set up Java 8
        uses: actions/setup-java@v2
        with:
          java-version: '8'
          distribution: 'zulu'
      - name: Unit Tests
        run: ./gradlew --stacktrace testRelease
  publish:
    needs: [ unit_test, build_aar ]
    name: Publish Card Form
    runs-on: ubuntu-latest
@@ -88,6 +117,7 @@
         uses: ./.github/actions/set_github_user
       - name: Update Version
         run: |
+          set -euo pipefail
           ./gradlew -PversionParam=${{ github.event.inputs.version }} changeReleaseVersion
           ./gradlew -PversionParam=${{ github.event.inputs.version }} changeREADMEVersion
           git commit -am 'Release ${{ github.event.inputs.version }}'