From 6ab7d417412897fb991282f52b74a3aba693431a Mon Sep 17 00:00:00 2001
From: Paul van Tilburg <paul@luon.net>
Date: Sat, 27 Jul 2024 14:07:22 +0200
Subject: [PATCH 1/2] Fix release notes being escaped properly

The release notes can contain special characters that will be expanded
by bash if not escaped properly, such as the dollar sign (`$`) or the
backtick (`\``).
This PR replaces setting the `RELEASENOTES` environment variable using
double quotes by a heredoc that does not perform any shell-related
expansion.
---
 action.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/action.yml b/action.yml
index 07e73d5..125dd93 100644
--- a/action.yml
+++ b/action.yml
@@ -81,7 +81,10 @@ runs:
 
         export RELEASE_DIR="${{ inputs.release-dir }}"
 
-        export RELEASENOTES="${{ inputs.release-notes }}"
+        export RELEASENOTES=$(cat << 'EOF'
+        ${{ inputs.release-notes }}
+        EOF
+        )
 
         export SHA="${{ inputs.sha }}"
         if test -z "$SHA"; then

From 9c0ac967a94f0f1ed9e281c6dc2b176b1a0cfa14 Mon Sep 17 00:00:00 2001
From: Paul van Tilburg <paul@luon.net>
Date: Sun, 11 Aug 2024 09:05:40 +0200
Subject: [PATCH 2/2] Add test ensuring no breakage because of shell expansion

---
 .forgejo/workflows/integration.yml                   | 11 +++++++++++
 testdata/upload-download/.forgejo/workflows/test.yml |  8 +++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/.forgejo/workflows/integration.yml b/.forgejo/workflows/integration.yml
index d257bc6..b92a2db 100644
--- a/.forgejo/workflows/integration.yml
+++ b/.forgejo/workflows/integration.yml
@@ -21,6 +21,17 @@ jobs:
           export FORGEJO_RUNNER_LOGS="${{ steps.forgejo.outputs.runner-logs }}"
           forgejo-test-helper.sh run_workflow testdata/upload-download http://testuser:admin1234@${{ steps.forgejo.outputs.host-port }} testuser upload-download forgejo-release "${{ steps.forgejo.outputs.token }}"
 
+          set -ex
+          export FORGEJO="${{ steps.forgejo.outputs.url }}"
+          curl --fail -sS $FORGEJO/api/v1/repos/testuser/upload-download/releases/tags/v2.0 > /tmp/release.json
+          EXPECTED='No shell expansion should on these notes:
+          - $(some_command)
+          - `other_commend`
+          - "double quoted" and '\''single quoted'\'' strings
+          - \backslash escape
+          - !exclamation_mark'
+          test "$EXPECTED" = "$(jq -r .body < /tmp/release.json)"
+
       - name: testdata/upload-download-private
         run: |
           export FORGEJO_RUNNER_LOGS="${{ steps.forgejo.outputs.runner-logs }}"
diff --git a/testdata/upload-download/.forgejo/workflows/test.yml b/testdata/upload-download/.forgejo/workflows/test.yml
index 244826f..39d8a62 100644
--- a/testdata/upload-download/.forgejo/workflows/test.yml
+++ b/testdata/upload-download/.forgejo/workflows/test.yml
@@ -36,7 +36,13 @@ jobs:
           tag: v2.0
           token: FORGEJO_TOKEN
           release-dir: upload-dir-v2
-          release-notes: "RELEASE NOTES V2"
+          release-notes: |-
+            No shell expansion should on these notes:
+            - $(some_command)
+            - `other_commend`
+            - "double quoted" and 'single quoted' strings
+            - \backslash escape
+            - !exclamation_mark
           verbose: true
       - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
         id: release-download