From 74059b8d9b5a9f1af0d3309d5aa07712cb16b958 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gergely=20B=C3=A9k=C3=A9si?= <gergely.bekesi@ethswarm.org>
Date: Tue, 5 May 2026 10:36:22 +0200
Subject: [PATCH 1/2] ci: handle bee.js released event

---
 .github/workflows/update-bee-js.yaml | 33 ++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 .github/workflows/update-bee-js.yaml

diff --git a/.github/workflows/update-bee-js.yaml b/.github/workflows/update-bee-js.yaml
new file mode 100644
index 0000000..1101875
--- /dev/null
+++ b/.github/workflows/update-bee-js.yaml
@@ -0,0 +1,33 @@
+name: Update bee-js
+
+on:
+    repository_dispatch:
+        types: [bee-js-released]
+
+jobs:
+    update-bee-js:
+        runs-on: ubuntu-latest
+        permissions:
+            contents: write
+            pull-requests: write
+
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+
+            - name: Update BEE_JS_VERSION in dependency.ts
+              run: |
+                  VERSION=${{ github.event.client_payload.version }}
+                  sed -i "s/BEE_JS_VERSION = '\\^[^']*'/BEE_JS_VERSION = '^\$VERSION'/" src/dependency.ts
+
+            - name: Create pull request
+              uses: peter-evans/create-pull-request@v7
+              with:
+                  commit-message: 'chore: update bee-js to v${{ github.event.client_payload.version }}'
+                  branch: update-bee-js-${{ github.event.client_payload.version }}
+                  title: 'chore: update bee-js to v${{ github.event.client_payload.version }}'
+                  body: |
+                      Automated update of `@ethersphere/bee-js` to `^${{ github.event.client_payload.version }}`.
+
+                      Please review the [bee-js changelog](https://github.com/ethersphere/bee-js/blob/master/CHANGELOG.md) before merging.
+                  labels: dependencies

From 144359b43e813dd3748767e92c5fb339f5f6e279 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gergely=20B=C3=A9k=C3=A9si?= <gergely.bekesi@ethswarm.org>
Date: Thu, 14 May 2026 13:20:21 +0200
Subject: [PATCH 2/2] fix: handle security concerns and make the wf more
 bulletproof

---
 .github/workflows/update-bee-js.yaml | 73 +++++++++++++++++-----------
 1 file changed, 45 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/update-bee-js.yaml b/.github/workflows/update-bee-js.yaml
index 1101875..74a6e09 100644
--- a/.github/workflows/update-bee-js.yaml
+++ b/.github/workflows/update-bee-js.yaml
@@ -1,33 +1,50 @@
 name: Update bee-js
 
 on:
-    repository_dispatch:
-        types: [bee-js-released]
+  repository_dispatch:
+    types: [bee-js-released]
 
 jobs:
-    update-bee-js:
-        runs-on: ubuntu-latest
-        permissions:
-            contents: write
-            pull-requests: write
-
-        steps:
-            - name: Checkout
-              uses: actions/checkout@v4
-
-            - name: Update BEE_JS_VERSION in dependency.ts
-              run: |
-                  VERSION=${{ github.event.client_payload.version }}
-                  sed -i "s/BEE_JS_VERSION = '\\^[^']*'/BEE_JS_VERSION = '^\$VERSION'/" src/dependency.ts
-
-            - name: Create pull request
-              uses: peter-evans/create-pull-request@v7
-              with:
-                  commit-message: 'chore: update bee-js to v${{ github.event.client_payload.version }}'
-                  branch: update-bee-js-${{ github.event.client_payload.version }}
-                  title: 'chore: update bee-js to v${{ github.event.client_payload.version }}'
-                  body: |
-                      Automated update of `@ethersphere/bee-js` to `^${{ github.event.client_payload.version }}`.
-
-                      Please review the [bee-js changelog](https://github.com/ethersphere/bee-js/blob/master/CHANGELOG.md) before merging.
-                  labels: dependencies
+  update-bee-js:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Validate version
+        env:
+          VERSION: ${{ github.event.client_payload.version }}
+        run: |
+          if ! printf '%s' "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9.-]+)?$'; then
+            echo "invalid version: $VERSION" >&2; exit 1
+          fi
+
+      - name: Update BEE_JS_VERSION in dependency.ts
+        env:
+          VERSION: ${{ github.event.client_payload.version }}
+        run: |
+          sed -i "s/BEE_JS_VERSION = '\\^[^']*'/BEE_JS_VERSION = '^\$VERSION'/" src/dependency.ts
+
+      - name: Generate App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.BEE_RUNNER_CLIENT_ID }}
+          private-key: ${{ secrets.BEE_RUNNER_KEY }}
+
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@v8.1.1
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          commit-message: 'chore: update bee-js to v${{ github.event.client_payload.version }}'
+          branch: update-bee-js-${{ github.event.client_payload.version }}
+          title: 'chore: update bee-js to v${{ github.event.client_payload.version }}'
+          body: |
+            Automated update of `@ethersphere/bee-js` to `^${{ github.event.client_payload.version }}`.
+
+            Please review the [bee-js changelog](https://github.com/ethersphere/bee-js/blob/master/CHANGELOG.md) before merging.
+          labels: dependencies