From 9bee023105314698a13f74ff9d5493fca143d274 Mon Sep 17 00:00:00 2001
From: Ayaz Salikhov <mathbunnyru@users.noreply.github.com>
Date: Mon, 30 Jun 2025 12:03:06 +0100
Subject: [PATCH] fix: Do not allow command injection in GitHub workflows
 (#2270)

---
 .github/workflows/release_impl.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release_impl.yml b/.github/workflows/release_impl.yml
index 2644b28f..0164657f 100644
--- a/.github/workflows/release_impl.yml
+++ b/.github/workflows/release_impl.yml
@@ -69,9 +69,9 @@ jobs:
         shell: bash
         if: ${{ inputs.generate_changelog }}
         run: |
-          LAST_TAG=$(gh release view --json tagName -q .tagName)
-          LAST_TAG_COMMIT=$(git rev-parse $LAST_TAG)
-          BASE_COMMIT=$(git merge-base HEAD $LAST_TAG_COMMIT)
+          LAST_TAG="$(gh release view --json tagName -q .tagName)"
+          LAST_TAG_COMMIT="$(git rev-parse $LAST_TAG)"
+          BASE_COMMIT="$(git merge-base HEAD $LAST_TAG_COMMIT)"
           git-cliff "${BASE_COMMIT}..HEAD" --ignore-tags "nightly|-b"
           cat CHANGELOG.md >> "${RUNNER_TEMP}/release_notes.md"
 
@@ -108,10 +108,10 @@ jobs:
         if: ${{ github.event_name != 'pull_request' }}
         shell: bash
         run: |
-          gh release create ${{ inputs.version }} \
+          gh release create "${{ inputs.version }}" \
             ${{ inputs.overwrite_release && '--prerelease' || '' }} \
             --title "${{ inputs.title }}" \
-            --target $GITHUB_SHA \
+            --target "${GITHUB_SHA}" \
             ${{ inputs.draft && '--draft' || '' }} \
             --notes-file "${RUNNER_TEMP}/release_notes.md" \
             ./release_artifacts/clio_server*