Make Forgejo release deletion argv-safe #663

New issue

Closed

opened 2026-05-09 00:46:44 +00:00 by barrettruth · 0 comments

barrettruth commented 2026-05-09 00:46:44 +00:00

Owner

Copy link

Problem

Forgejo release deletion builds a shell command by concatenating the release tag into sh -c:

• lua/forge/backends/forgejo.lua:1266

Release tags are accepted as unconstrained release subjects, so tags containing spaces or shell metacharacters can fail or be interpreted as shell syntax. GitHub and GitLab release deletion use argv-safe command tables.

Expected

Build the Forgejo delete command without shell string concatenation, or quote every dynamic component with a shared safe shell-argument helper if tea requires sh -c.

Non-goals

Do not change release picker behavior or release-delete confirmation semantics.

Context

Found during release-preview readiness audit. Remote Forgejo CI cannot currently be awaited because the Spark runner is down; use local verification for the fix.

## Problem Forgejo release deletion builds a shell command by concatenating the release tag into `sh -c`: - `lua/forge/backends/forgejo.lua:1266` Release tags are accepted as unconstrained release subjects, so tags containing spaces or shell metacharacters can fail or be interpreted as shell syntax. GitHub and GitLab release deletion use argv-safe command tables. ## Expected Build the Forgejo delete command without shell string concatenation, or quote every dynamic component with a shared safe shell-argument helper if `tea` requires `sh -c`. ## Non-goals Do not change release picker behavior or release-delete confirmation semantics. ## Context Found during release-preview readiness audit. Remote Forgejo CI cannot currently be awaited because the Spark runner is down; use local verification for the fix.

barrettruth added the

bug

label 2026-05-09 00:46:44 +00:00

barrettruth referenced this issue 2026-05-09 00:47:16 +00:00

Tracker: release-preview readiness follow-up #667

barrettruth referenced this issue from a pull request that will close it, 2026-05-09 00:54:13 +00:00

fix: make Forgejo release deletion argv-safe #668

barrettruth closed this issue 2026-05-09 02:38:59 +00:00

barrettruth referenced this issue from a commit 2026-05-09 02:38:59 +00:00

fix: make Forgejo release deletion argv-safe (#668)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

remove-ci-log-error-parser-heuristics

remove-ci-log-error-jumps

refactor/backend-detail-parsers-762

refactor/backend-metadata-flags-761

refactor/backend-ci-builders-760

refactor/fzf-transport-header-759

refactor/ci-action-routing-758

refactor/log-provider-parsers-757

refactor/compose-submit-side-effects-756

refactor/compose-document-rendering-755

refactor/compose-session-754

refactor/cmd-token-scanner-753

refactor/branch-pr-lookup-dedupe-752

refactor/local-git-completion-cache-751

refactor/release-completion-cache-warm-750

refactor/async-pr-completion-warm-749

refactor/cache-only-pr-completion-748

refactor/completion-contract-747

test/completion-call-budget-745

fix/736-ci-log-formatting

feat/random-feature

feat/new-branch

test/pr-state-ops-whitespace

ci/fix-luarocks-manifest-verification

ci/fix-luarocks-runtime

ci/fix-forgejo-luarocks-tag-release

fix/forgejo-issue-template-duplicates

fix/unsupported-forge-warning

fix/forgejo-tea-fields

feat/test

feat/gitlab-ex-aliases

ux/gitlab-interactive-terminology

feat/review-codediff

fix/fzf-reload-field-index

feat/toggle-state

fix/config-sane-validation

chore/ci-watch-trigger

new

fix/direct-create-without-picker

feat/picker-forward-nav

feat/optional-picker

tweak/adaptive-worktree-widths

tweak/git-local-subcommands

fix/commit-picker-yank-state

feat/core-git-sections

fix/template-picker

v0.2.2

v0.2.1

v0.2.0

v0.1.0

v0.1.2

nightly

v0.0.1

Labels

Clear labels   

bug

Something isn't working

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

fugitive

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

question

Further information is requested

  

v0.1.0

  

v0.2.0

  

wontfix

This will not be worked on

No labels

bug

documentation

duplicate

enhancement

fugitive

good first issue

help wanted

invalid

question

v0.1.0

v0.2.0

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

barrettruth/forge.nvim#663

No description provided.