From b7bb84fa6964880ae4de629e68330a4209e8a192 Mon Sep 17 00:00:00 2001
From: Jax DesMarais-Leder <jdesmarais@paypal.com>
Date: Thu, 5 Mar 2026 13:00:18 -0600
Subject: [PATCH] Add regex validation to release workflow

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 40 +++++++++++++++++++++++++++++++----
 1 file changed, 36 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1c2517e4..744d2e3b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,7 +8,35 @@ on:
 env:
   SIGNING_KEY_FILE: /home/runner/secretKey.gpg
 jobs:
+  validate_version:
+    name: Validate Version Input
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate version input
+        env:
+          INPUT_VERSION: ${{ github.event.inputs.version }}
+        run: |
+          set -euo pipefail
+
+          # Validate version format: x.x.x or x.x.x-betax (e.g., 4.0.0, 4.0.0-beta1)
+          # Uses bash regex to avoid a grep subprocess and (0|[1-9][0-9]*) to prevent leading zeros.
+          PATTERN='^(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-beta[0-9]+)?$'
+          if ! [[ "${INPUT_VERSION}" =~ $PATTERN ]]; then
+            echo "::error::Invalid version format: ${INPUT_VERSION}"
+            echo "::error::Version must be x.x.x or x.x.x-betax (e.g., 4.0.0 or 4.0.0-beta1)"
+            exit 1
+          fi
+
+          # Check length to prevent excessively long inputs
+          if [ ${#INPUT_VERSION} -gt 50 ]; then
+            echo "::error::Version string exceeds maximum length of 50 characters"
+            exit 1
+          fi
+
+          echo "Version validated: ${INPUT_VERSION}"
+
   build_aar:
+    needs: [ validate_version ]
     name: Build
     runs-on: ubuntu-latest
     steps:
@@ -28,6 +56,7 @@ jobs:
 
   # Run unit tests after a successful build
   unit_test_browser_switch:
+    needs: [ validate_version ]
     name: Unit Test Browser Switch
     runs-on: ubuntu-latest
     steps:
@@ -80,16 +109,19 @@ jobs:
         uses: ./.github/actions/setup_java
       - name: Set GitHub User
         run: ./ci set_github_user_to_braintreeps
+      - name: Set release version
+        run: echo "RELEASE_VERSION=${{ github.event.inputs.version }}" >> "$GITHUB_ENV"
       - name: Update Version
         run: |
+          set -euo pipefail
           ./ci publish_dokka_docs
-          ./ci update_version ${{ github.event.inputs.version }}
-          ./ci commit_and_tag_release ${{ github.event.inputs.version }}
-          ./ci increment_snapshot_version ${{ github.event.inputs.version }}
+          ./ci update_version "${RELEASE_VERSION}"
+          ./ci commit_and_tag_release "${RELEASE_VERSION}"
+          ./ci increment_snapshot_version "${RELEASE_VERSION}"
           ./ci increment_demo_app_version_code
 
           git commit -am 'Prepare for development'
-          git push origin main ${{ github.event.inputs.version }}
+          git push origin main "${RELEASE_VERSION}"
 
   create_github_release:
     needs: [ bump_version ]