From 5cefad29eeae950a76f56eca9f01bc26610b6042 Mon Sep 17 00:00:00 2001
From: Lorenzo <1328683+enzowritescode@users.noreply.github.com>
Date: Fri, 10 Oct 2025 08:35:13 -0600
Subject: [PATCH] Improve workflow input handling (#34097)

* Improve workflow input handling by using environment variables with additional input validation and error handling
---
 .github/workflows/tag-public-module.yaml | 29 ++++++++++++++++++++----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/tag-public-module.yaml b/.github/workflows/tag-public-module.yaml
index 63ef596c241..39ecd6ca2ca 100644
--- a/.github/workflows/tag-public-module.yaml
+++ b/.github/workflows/tag-public-module.yaml
@@ -22,6 +22,8 @@ jobs:
     permissions:
       contents: write
     runs-on: ubuntu-22.04
+    env:
+      COMMIT_SHA: ${{ inputs.commit_sha }}
     steps:
       - name: release/checkout-mattermost
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -32,14 +34,31 @@ jobs:
         run: |
           echo LATEST_MODULE_TAG=$(git tag --list 'server/public/*' --format='%(refname:lstrip=-1)'  --sort -v:refname | head -1) >> ${GITHUB_ENV}
 
+      - name: release/validate-commit-sha
+        run: |
+          if [ -n "$COMMIT_SHA" ]; then
+            # Validate commit SHA format (40 character hex string)
+            if [[ ! "$COMMIT_SHA" =~ ^[a-f0-9]{40}$ ]]; then
+              echo "Error: Invalid commit SHA format. Must be a 40-character hexadecimal string."
+              exit 1
+            fi
+            # Verify the commit exists in the repository
+            if ! git cat-file -e "$COMMIT_SHA" 2>/dev/null; then
+              echo "Error: Commit SHA '$COMMIT_SHA' does not exist in the repository."
+              exit 1
+            fi
+            echo "Commit SHA validation passed: $COMMIT_SHA"
+          else
+            echo "No commit SHA provided, will use HEAD"
+          fi
+
       - name: release/generate-module-release-notes
         run: |
           echo "RELEASE_NOTES<<EOF" >> ${GITHUB_ENV}
-          if [ "${{ inputs.commit_sha }}" = "" ]; 
-            then
-              echo "$(git log --oneline --graph --decorate --abbrev-commit server/public/${{ env.LATEST_MODULE_TAG }}...$(git rev-parse HEAD) server/public)" >> ${GITHUB_ENV}
-            else
-              echo "$(git log --oneline --graph --decorate --abbrev-commit server/public/${{ env.LATEST_MODULE_TAG }}...${{ inputs.commit_sha }} server/public)" >> ${GITHUB_ENV}
+          if [ -z "$COMMIT_SHA" ]; then
+            echo "$(git log --oneline --graph --decorate --abbrev-commit server/public/${{ env.LATEST_MODULE_TAG }}...$(git rev-parse HEAD) server/public)" >> ${GITHUB_ENV}
+          else
+            echo "$(git log --oneline --graph --decorate --abbrev-commit server/public/${{ env.LATEST_MODULE_TAG }}...${COMMIT_SHA} server/public)" >> ${GITHUB_ENV}
           fi
           echo "EOF" >> ${GITHUB_ENV}