harden bump-version workflow

[GuyEshdat]

Summary

Hardens the manual release-bump workflow against script injection and supply-chain risk.

• Input validation is now fail-closed. inputs.dbt-package-version flows through env: (no shell-template substitution) and is regex-validated; invalid input fails the job rather than producing an empty filtered string. The validated value is exported as a job output for downstream consumption.
• All downstream run: steps read the validated version via needs.validate-version.outputs.version and pass it through env: — no ${{ }} interpolation inside any shell script.
• SHA-pinned repo-sync/pull-request@v2.
• Default-deny GITHUB_TOKEN: top-level permissions: {}, job-level overrides for the minimum each job needs (contents: write for the push job, contents: read + pull-requests: write for PR creation).

Test plan

• Trigger via Actions UI with a valid version (e.g. 1.2.3) → release branch + PR created.
• Trigger with an invalid version (1.2, 1.2.3; rm, ``) → job fails at validation.

Made with Cursor

Summary by CodeRabbit

• Chores
  • Improved release process reliability with enhanced version validation.
  • Strengthened security posture with explicit permission management.
  • Increased stability through locked automation dependencies.

[linear]

CORE-684 harden workflows for dbt-package

[coderabbitai]

Warning

Rate limit exceeded

@GuyEshdat has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 3 minutes and 49 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 3 minutes and 49 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2abe852c-b6a3-48fd-a8f8-e7396560eedd

📥 Commits

Reviewing files that changed from the base of the PR and between 76c41d7 and 51765c9.

📒 Files selected for processing (1)

• .github/workflows/bump-version.yml

📝 Walkthrough

Walkthrough

The workflow refactors version validation from sed-based extraction to bash regex checking, exports the validated version via $GITHUB_OUTPUT, and updates downstream jobs to consume this validated output. Permissions are explicitly set at workflow and job levels, and the PR creation action is pinned to a specific commit SHA.

Changes

Cohort / File(s)	Summary
Workflow Permissions & Version Validation .github/workflows/bump-version.yml	Added explicit permissions at workflow and job levels. Replaced sed-based version extraction with bash regex validation using VERSION env var. Exports validated version via $GITHUB_OUTPUT. Updated downstream bump-version and create-pr jobs to consume validated output for release branch naming, file substitutions, commit messaging, and PR details. Pinned PR creation action to specific commit SHA.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A rabbit hops through workflow lines so bright,
Version validation now flows just right,
Permissions crystal clear, outputs on parade,
With bash regex and action pinned, oh what upgrades we've made! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'harden bump-version workflow' accurately summarizes the main change: securing the bump-version GitHub Actions workflow through input validation, fail-closed behavior, env var usage, and token permission restrictions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch core-684-harden-bump-version

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

👋 @GuyEshdat
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in the elementary repository.