Add GitHub Action step to remove "v" prefix from release titles

[Copilot]

This PR adds a new step to the existing release-please workflow that automatically removes the "v" prefix from release titles after they are created.

Problem

Release-please may still add a "v" prefix to release titles despite configuration settings like "include-v-in-tag": false. Since there's no reliable configuration option in release-please to prevent this, we need a post-processing step to clean up the release titles.

Solution

Added a new GitHub Action step that:

• Only runs when a release is actually created (release_created output is true)
• Uses the GitHub REST API to fetch the current release data
• Removes the "v" prefix only when it's followed by a digit (e.g., "v1.0.0" → "1.0.0")
• Leaves other titles unchanged (e.g., "version 1.0.0" remains as-is)
• Updates the release title via the GitHub API
• Includes comprehensive error handling and logging

Implementation Details

The step uses a refined regex pattern sed 's/^v\([0-9]\)/\1/' that:

• Only matches "v" at the beginning of the string
• Only removes it when followed by a digit
• Preserves other uses of "v" in titles

Example transformations:

• ✅ "v1.0.0" → "1.0.0"
• ✅ "v2.1.3" → "2.1.3"
• ✅ "1.0.0" → "1.0.0" (no change)
• ✅ "version 1.0.0" → "version 1.0.0" (no change)
• ✅ "V1.0.0" → "V1.0.0" (case sensitive, no change)

Testing

• Validated YAML syntax
• Tested the regex logic with various input scenarios
• Ensured minimal, surgical changes to existing workflow

Fixes #67.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[lgallard]

bugbot run

[lgallard]

Bug: JSON Interpolation Vulnerability

The NEW_TITLE variable is directly interpolated into the JSON payload for the GitHub API PATCH request without proper escaping. If the release title contains special JSON characters (e.g., double quotes, backslashes, newlines), it will produce malformed JSON, causing the API call to fail. The JSON payload should be safely constructed using jq to prevent this.

.github/workflows/release-please.yml#L60-L61
Fix in Cursor

BugBot free trial expires on June 9, 2025 You have used $0.00 of your $50.00 spend limit so far. Manage your spend limit in the Cursor dashboard.

Was this report helpful? Give feedback by reacting with 👍 or 👎

@copilot please address it

[Copilot]

Bug: JSON Interpolation Vulnerability

The NEW_TITLE variable is directly interpolated into the JSON payload for the GitHub API PATCH request without proper escaping. If the release title co...

Fixed the JSON interpolation vulnerability by replacing direct string interpolation with secure jq construction. The JSON payload is now safely built using jq -n --arg name "$NEW_TITLE" '{name: $name}' which properly escapes special characters like quotes, backslashes, and newlines. Commit c6d87c9

[lgallard]

bugbot run

[cursor]

✅ BugBot reviewed your changes and found no bugs!

---

Was this report helpful? Give feedback by reacting with 👍 or 👎