fix: harden release workflows and widget snippets

[fairlighteth]

Why

This PR addresses the following DeepSec high findings from the May 5, 2026 scan report:

1. Release-tag jobs expose GitHub App credentials to code loaded from the tag ref
2. Release-tag deployment inherits secrets into a reusable workflow from the tag ref
3. Token input can break out of the generated HTML embed snippet
4. Custom token list data can poison the generated HTML embed snippet
5. Generated Pure HTML snippet can break out of its script tag
6. Generated HTML embed snippet can break out of its inline script
7. Generated JavaScript snippet can contain injected code via tradeType
8. Generated TypeScript snippet trusts raw tradeType when emitting enum syntax

Those findings fall into two groups:

1. Release-tag workflow trust issues

   • Some release-tag workflows were loading repository-local actions/workflows from the tag ref while passing secrets or privileged credentials.
   • If a matching release tag could be pushed to an arbitrary commit, secret-bearing jobs could run code chosen by the tag author.

2. Widget configurator code-generation injection issues

   • The widget configurator generates copy-paste HTML, JavaScript, and TypeScript embed snippets from user-controlled params.
   • Some params could break out of the generated script/object context, especially through raw string interpolation and unescaped </script> content.

What changed

Release workflow hardening

Files:

• .github/workflows/deployment-v2.yml
• .github/workflows/deployment.yml
• .github/workflows/vercel.yml

Changes:

• validate the pushed release tag against main before any secret-bearing path runs
• resolve the tagged release commit from a trusted checkout of main
• stop checking out the tag workspace before invoking secret-bearing local workflow/action logic
• pass the validated release commit into the reusable Vercel workflow as an explicit checkout ref
• replace secrets: inherit in the release deployment path with an explicit secret allowlist

Security effect:

• release-tag jobs no longer trust code loaded directly from the tag ref before secrets are available
• reusable deployment logic now runs against a validated release commit instead of an arbitrary tag-controlled workspace

Widget snippet hardening

Files:

• apps/widget-configurator/src/app/embedDialog/utils/formatParameters.ts
• apps/widget-configurator/src/app/embedDialog/utils/sanitizeParameters.ts
• apps/widget-configurator/src/app/embedDialog/utils/formatParameters.test.ts

Changes:

• escape script-sensitive JSON output before embedding it into generated HTML snippets
• stop raw tradeType interpolation in generated JS/TS snippets
• only emit TradeType.* enum syntax for known valid trade types
• drop invalid tradeType values instead of serializing attacker-controlled content into snippets
• add regression coverage for HTML/JS/TS snippet generation

Security effect:

• generated snippets no longer allow straightforward </script> breakout or raw tradeType code injection through configurator params

Scope

This PR is intentionally limited to the eight findings listed above.
It does not attempt to solve unrelated DeepSec findings.

Reviewer guide

Recommended review order:

1. .github/workflows/deployment.yml
2. .github/workflows/deployment-v2.yml
3. .github/workflows/vercel.yml
4. formatParameters.ts
5. sanitizeParameters.ts
6. formatParameters.test.ts

QA

1. Widget configurator regression check

Goal: confirm generated snippets no longer contain injectable payloads.

Setup:

• run pnpm start:widget
• open the widget configurator

Test A: HTML snippet escaping

1. Put a malicious token-like value into a field that flows into snippet params, for example:
   • </script><script>alert(1)</script>
2. Open the generated Pure HTML snippet.
3. Confirm the copied/rendered snippet contains escaped unicode sequences like \u003c rather than raw </script>.
4. Confirm the snippet does not contain a literal attacker-controlled <script> tag.

Test B: invalid trade type in generated code

1. Use the configurator state or raw params path to provide an invalid tradeType value.
2. Open the generated JavaScript and TypeScript snippets.
3. Confirm the invalid value is not emitted as executable code.
4. Confirm valid enum values still render correctly as TradeType.SWAP, TradeType.LIMIT, etc. in the TypeScript snippet.

Expected result:

• malicious content is serialized safely
• invalid tradeType input is removed/neutralized
• valid TradeType values still generate correct snippets

2. Automated widget checks

Run:

• pnpm exec jest --config apps/widget-configurator/jest.config.ts --runInBand apps/widget-configurator/src/app/embedDialog/utils/formatParameters.test.ts
• pnpm exec eslint apps/widget-configurator/src/app/embedDialog/utils/formatParameters.ts apps/widget-configurator/src/app/embedDialog/utils/sanitizeParameters.ts apps/widget-configurator/src/app/embedDialog/utils/formatParameters.test.ts

Expected result:

• Jest passes 3 tests in formatParameters.test.ts
• ESLint exits cleanly for the touched widget-configurator files

3. Release workflow review check

Goal: verify secret-bearing release jobs no longer trust tag workspace code.

Review points:

1. In deployment.yml, confirm release tags are validated against main in validate-release-tag.
2. Confirm vercel-pre-prod depends on that validation and passes checkout_ref into the reusable workflow.
3. Confirm secrets: inherit is gone from the release deployment path.
4. In vercel.yml, confirm checkout uses inputs.checkout_ref when provided.
5. In deployment-v2.yml, confirm staging/prod sync jobs check out main, not the tag ref, before running the release sync action.
6. Confirm the validated release commit is merged/cherry-picked forward rather than trusting arbitrary tag workspace content.

Expected result:

• secret-bearing jobs operate from trusted refs plus a validated release commit, not directly from tag-controlled repository-local workflow/action code

Verification run for this PR

• git diff --check
• pnpm install --frozen-lockfile
• pnpm exec jest --config apps/widget-configurator/jest.config.ts --runInBand apps/widget-configurator/src/app/embedDialog/utils/formatParameters.test.ts
• pnpm exec eslint apps/widget-configurator/src/app/embedDialog/utils/formatParameters.ts apps/widget-configurator/src/app/embedDialog/utils/sanitizeParameters.ts apps/widget-configurator/src/app/embedDialog/utils/formatParameters.test.ts

Notes

• pnpx nx run widget-configurator:test --runInBand --testPathPattern=formatParameters.test.ts and pnpx nx run widget-configurator:lint were blocked in this worktree by repo-wide Nx project-graph/environment issues unrelated to the patch.
• The direct Jest and ESLint commands above passed for the touched widget-configurator files.

Summary by CodeRabbit

• New Features

  • Added support for specifying an exact commit/ref for deploy builds.

• Bug Fixes

  • Improved widget parameter sanitization by removing invalid tradeType values and filtering enabledTradeTypes to valid entries only.
  • Hardened embedded widget snippet serialization (HTML/JS/TS) to prevent script-injection and malformed payloads.

• Tests

  • Added coverage to ensure snippet generation remains safe and omits malformed trade-type fields.

• Chores

  • Tightened CI/CD release verification and branch/tag synchronization logic, including updated dependency flow and deployment secrets wiring.

[cloudflare-workers-and-pages]

Deploying explorer-dev with    Cloudflare Pages

Latest commit:	196741e
Status:	✅  Deploy successful!
Preview URL:	https://1e8e3715.explorer-dev-dxz.pages.dev
Branch Preview URL:	https://fix-deepsec-high-1-8.explorer-dev-dxz.pages.dev

View logs

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cowfi	Ready	Preview	Jun 15, 2026 3:16pm
explorer-dev	Ready	Preview	Jun 15, 2026 3:16pm
storybook	Ready	Preview	Jun 15, 2026 3:16pm
swap-dev	Ready	Preview	Jun 15, 2026 3:16pm
widget-configurator	Ready	Preview	Jun 15, 2026 3:16pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
cosmos	Ignored		Jun 15, 2026 3:16pm
sdk-tools	Ignored	Preview	Jun 15, 2026 3:16pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: e3568d61-4eb3-4e32-a52f-ba0480754a55

📥 Commits

Reviewing files that changed from the base of the PR and between 3e9c2c8 and 196741e.

📒 Files selected for processing (1)

• .github/workflows/vercel.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/vercel.yml

---

Walkthrough

Tightens release commit validation across deployment workflows and parameterizes Vercel builds with a checkout_ref; deployment jobs fast-forward staging/production using the validated release commit. Hardens widget snippet generation by validating trade-type inputs and using placeholder-based, script-sensitive escaping with tests covering hostile and malformed inputs.

Changes

Release Commit Validation and Safe Deployment Pipeline

Layer / File(s)	Summary
Release tag validation and commit derivation .github/workflows/deployment.yml	Adds workflow permissions and expands validate-release-tag to fetch main/tags, compute the tagged commit via git rev-list -n 1, verify reachability from origin/main via git merge-base --is-ancestor, and expose release-commit output.
Vercel workflow parameterization support .github/workflows/vercel.yml	Adds optional checkout_ref workflow_call input and updates checkout to use it when provided, otherwise falling back to github.sha.
Deployment workflow integration with validated commits .github/workflows/deployment.yml	Pre-prod Vercel job switches to the shared cowprotocol/cowswap workflow, adds dependency on validate-release-tag, replaces inherited secrets with explicit mapping, passes checkout_ref from validated output, and updates notification job needs formatting.
Release metadata collection and parameterized branch synchronization .github/workflows/deployment-v2.yml	Collects release metadata (including release-commit) with tag reachability validation; downstream checkouts pinned to refs/heads/main; sync-staging and sync-production fast-forward branches by merging validated RELEASE_COMMIT instead of origin/main.

Widget Snippet Security Hardening

Layer / File(s)	Summary
Input validation and trade type sanitization apps/widget-configurator/src/app/embedDialog/utils/sanitizeParameters.ts	Validates tradeType against TradeType enum and filters enabledTradeTypes to include only valid enum values; removes invalid trade type fields; adds isTradeType type guard helper.
Output encoding and placeholder-based serialization safety apps/widget-configurator/src/app/embedDialog/utils/formatParameters.ts, apps/widget-configurator/src/app/embedDialog/utils/formatParameters.test.ts	Replaces trade-type values with string placeholders before JSON.stringify, escapes script-sensitive characters (<, >, &, U+2028/U+2029), and restores placeholders to TradeType.* literals after comment insertion. Helper utilities support placeholder conversion and safe embedding. Test coverage validates HTML escaping of hostile tokens, JavaScript filtering of invalid trade types, TypeScript rendering of TradeType.* only for valid values, and graceful handling of malformed shapes.

Sequence Diagram(s)

sequenceDiagram
  participant Push as push/tag event
  participant Validate as validate-release-tag
  participant PreProd as vercel-pre-prod
  participant VercelWF as .github/workflows/vercel.yml
  Push->>Validate: run release validation script
  Validate->>PreProd: output release-commit
  PreProd->>VercelWF: workflow_call with checkout_ref

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

• alfetopito
• shoom3301

🐰 "I hopped through commits and tidied the trail,
Valid release paths now never derail,
I chased away snippets that tried to deceive,
Placeholders and guards make outputs reprieve,
A little rabbit cheer — safe builds prevail!"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: harden release workflows and widget snippets' directly and clearly summarizes the main changes across both release workflow security hardening and widget snippet injection prevention.
Description check	✅ Passed	The description thoroughly covers the security issues, detailed changes by file, security effects, reviewer guidance, comprehensive QA procedures, and verification commands, closely following the repository's expected structure despite using custom formatting.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/deepsec-high-1-8

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying swap-dev with    Cloudflare Pages

Latest commit:	196741e
Status:	✅  Deploy successful!
Preview URL:	https://ad906104.swap-dev-5u6.pages.dev
Branch Preview URL:	https://fix-deepsec-high-1-8.swap-dev-5u6.pages.dev

View logs

[fairlighteth]

✅ AI Review (Codex GPT-5, worked 2m): no new non-duplicate findings

Review completed. I found no new non-duplicate comments worth posting on the current PR head.

Review scope and related context

Rechecked on the latest PR head:

• .github/workflows/deployment.yml: the tag-triggered reusable workflow now loads from cowprotocol/cowswap/.github/workflows/vercel.yml@main, so it no longer trusts the tag workspace for the workflow definition.
• .github/workflows/deployment-v2.yml: both staging and production sync paths now check out refs/heads/main before invoking the local secret-bearing action.
• apps/widget-configurator/src/app/embedDialog/utils/*: the snippet hardening still looks coherent; invalid tradeType input is dropped, script-sensitive JSON is escaped, and the regression tests cover the main exploit paths.

Verification gap:

• CI was still running when I finished this pass, so this conclusion is based on the current code/diff review rather than final green CI.

[fairlighteth]

✅ PR - Automated QA (Codex GPT-5, worked 12m): widget-configurator snippet hardening verified in browser

Outcome

• Passed: generated Pure HTML no longer emits a literal </script><script>alert(1)</script> breakout for malicious sell.asset input.
• Passed: invalid tradeType and malformed enabledTradeTypes input do not emit executable code in generated Javascript or Typescript snippets.
• Passed: valid tradeType: "advanced" and enabledTradeTypes: ["swap", "yield"] still render as TradeType.ADVANCED, TradeType.SWAP, and TradeType.YIELD after the invalid-input check.
• Follow-up note: PR browser QA is green for the widget-configurator flow; the only remaining CI red is the existing Cypress fee.test.ts 403 deny-list failure, which appears unrelated to this PR.

Source under test

• Browser-based verification was performed locally with Playwright against the deployed preview https://widget-configurator-git-fix-deepsec-high-1-8-cowswap-dev.vercel.app.
• The local worktree matched the same PR head SHA: bf1c05daaeac9a1fed1222cb9d0b05c47474d324.
• Results were visually inspected from captured screenshots.

Environment:

• Browsers: Chromium 140.0.7339.16 and Firefox 141.0
• OS: Linux

Wallet state reached:

• disconnected: yes
• provider-injected: no
• wallet-connected-ui: no
• signing-capable: no

If re-running locally:

• Frontend: pnpm start:widget
• Route: /
• Local state required: none
• Fixtures/mocks: none

Expected results:

1. In Raw JSON params, set {"sell":{"asset":"</script><script>alert(1)</script>"}}, click Update widget, then View Embed Code, then Pure HTML.
   Expected: the snippet contains escaped unicode such as \u003c and does not contain a literal attacker-controlled <script> breakout string.
2. In Raw JSON params, set {"tradeType":"swap\";alert(1);//","enabledTradeTypes":["swap","yield);alert(1);//"]}, click Update widget, then inspect Javascript and Typescript.
   Expected: no alert(1) content is emitted; invalid trade-type input is dropped/neutralized.
3. In Raw JSON params, set {"tradeType":"advanced","enabledTradeTypes":["swap","yield"]}, click Update widget, then inspect Typescript.
   Expected: the snippet includes TradeType.ADVANCED, TradeType.SWAP, and TradeType.YIELD.

Browser coverage:

• Chromium 140.0.7339.16: baseline load, malicious HTML escaping, invalid trade-type neutralization, and valid TypeScript regression check passed.
• Firefox 141.0: baseline load, malicious HTML escaping, invalid trade-type neutralization, and valid TypeScript regression check passed.

Why these adjacent flows were included:

• Invalid then valid tradeType was included because the patch touches shared sanitization/serialization helpers and needed a repeat interaction to prove state does not stay corrupted after the blocked-input case.
• Firefox re-run was included because this is browser-facing code generation and modal/tab interaction can vary by engine even when the underlying helper logic is shared.

Note: unrelated Cypress failure

Impact:

• This does not undercut the widget-configurator/browser claim being validated here, but it still leaves the PR with one red CI check.

Observed behavior:

• Cypress failed in fee.test.ts.
• The failing request was POST https://barn.api.cow.fi/sepolia/api/v1/quote returning 403 Forbidden with Forbidden, your account is deny-listed.

Interpretation:

• The failure is in the existing frontend E2E fee path, not the widget-configurator or release-workflow code touched by this PR.

Commands run:

• PLAYWRIGHT_BROWSERS_PATH=$HOME/.cache/ms-playwright-local node /tmp/pr-qa-7616/run-qa.js
• gh run view 27033852449 --job 79792748440 --log-failed

Still manual if desired:

• Human readability review of the generated snippets in GitHub/Vercel preview, especially copy/paste ergonomics across the four snippet tabs.
• Separate non-browser review of the release-workflow hardening, since those changes are config/code-review only and not meaningfully browser-QA-able.

Artifacts:

• Chromium, disconnected, HTML escaping

• Chromium, disconnected, invalid tradeType

• Firefox, disconnected, valid TypeScript regression check

Residual gaps:

• No wallet-mode coverage was needed or exercised for this PR, so provider-injected, wallet-connected-ui, and signing-capable remain intentionally untested.
• The automated browser pass covered the widget-configurator runtime surface only; it did not attempt to simulate release-tag GitHub workflow execution.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

apps/widget-configurator/src/app/embedDialog/utils/formatParameters.test.ts (1)

31-67: ⚡ Quick win

Add a regression case for malformed shape inputs (enabledTradeTypes non-array / falsy tradeType).

Current tests catch injected strings, but they miss the malformed-shape path that can break TS snippet generation. A single regression test here would lock this down.

🧪 Suggested test addition

+  it('handles malformed trade type shapes safely', () => {
+    const malformedParams = {
+      appCode: 'Widget App',
+      tradeType: '',
+      enabledTradeTypes: 'swap',
+    } as unknown as CowSwapWidgetParams
+
+    expect(() => tsExample(malformedParams, defaultPalette)).not.toThrow()
+    const snippet = tsExample(malformedParams, defaultPalette)
+    expect(snippet).not.toContain('tradeType')
+    expect(snippet).not.toContain('enabledTradeTypes')
+  })

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/widget-configurator/src/app/embedDialog/utils/formatParameters.test.ts`
around lines 31 - 67, Add a regression test in formatParameters.test.ts to cover
malformed-shape inputs for tsExample (and optionally jsExample): create params
where enabledTradeTypes is not an array (e.g., null or a string) and tradeType
is falsy/undefined, cast to CowSwapWidgetParams, invoke tsExample (and jsExample
if desired), and assert the generated snippet does not include injected payloads
like 'alert(1)' or malformed enum text and that valid enums (e.g.,
TradeType.SWAP) still appear when present; use the existing test style and
functions tsExample, jsExample, CowSwapWidgetParams, enabledTradeTypes, and
tradeType to locate where to add this case.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deployment.yml:
- Line 71: The workflow currently references the reusable workflow with a
mutable ref ("uses: cowprotocol/cowswap/.github/workflows/vercel.yml@main");
replace the "`@main`" ref with a pinned immutable ref (a specific commit SHA or a
release tag) so the reusable workflow cannot change between validation and
execution—update the "uses:
cowprotocol/cowswap/.github/workflows/vercel.yml@main" entry to use "@" followed
by the commit hash or stable tag.

In `@apps/widget-configurator/src/app/embedDialog/utils/sanitizeParameters.ts`:
- Around line 20-26: Ensure malformed trade-type fields are normalized: for
sanitized.tradeType, validate with isTradeType and set to undefined (or delete)
whenever it is not a valid trade type (including falsy empty string), not only
when truthy; for sanitized.enabledTradeTypes, coerce non-array values to an
empty array and then filter using isTradeType (i.e., if typeof
sanitized.enabledTradeTypes !== 'object' || !Array.isArray(...), set to []
before applying .filter). Update the logic around the sanitized object
(references: sanitized.tradeType and sanitized.enabledTradeTypes) so downstream
code that maps over enabledTradeTypes (used by formatParameters) always receives
an array of valid trade types.

---

Nitpick comments:
In `@apps/widget-configurator/src/app/embedDialog/utils/formatParameters.test.ts`:
- Around line 31-67: Add a regression test in formatParameters.test.ts to cover
malformed-shape inputs for tsExample (and optionally jsExample): create params
where enabledTradeTypes is not an array (e.g., null or a string) and tradeType
is falsy/undefined, cast to CowSwapWidgetParams, invoke tsExample (and jsExample
if desired), and assert the generated snippet does not include injected payloads
like 'alert(1)' or malformed enum text and that valid enums (e.g.,
TradeType.SWAP) still appear when present; use the existing test style and
functions tsExample, jsExample, CowSwapWidgetParams, enabledTradeTypes, and
tradeType to locate where to add this case.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 2e81d223-147f-47c4-9b6a-57e17e9c9dfa

📥 Commits

Reviewing files that changed from the base of the PR and between 9c7abf2 and bf1c05d.

📒 Files selected for processing (6)

• .github/workflows/deployment-v2.yml
• .github/workflows/deployment.yml
• .github/workflows/vercel.yml
• apps/widget-configurator/src/app/embedDialog/utils/formatParameters.test.ts
• apps/widget-configurator/src/app/embedDialog/utils/formatParameters.ts
• apps/widget-configurator/src/app/embedDialog/utils/sanitizeParameters.ts

[shoom3301]

As far as I understand, we should remove deployment.yml soon due to the new deployment flow. @alfetopito Am I right? If yes, probably it's better to not tuch this file at all in order to reduce the PR changes scope

[alfetopito]

Yes!
It's in my todo list after we move prod over to cf-pages.

[alfetopito]

For the first test case, the bad code is still there. Shouldn't the script be removed completely instead?

On the 3rd case, the trade types match current behaviour on prod:

[alfetopito]

👍

[alfetopito]

As Sasha mentioned, this one can remain untouched as it'll be removed soon.

[alfetopito]

Same as above.

[shoom3301]

I would not touch widget-configurator as well to avoid conflicts with #7604