fix: Do not allow command injection in GitHub workflows (#2270)

2025-11-20 03:35:55 +00:00 · 2025-06-30 12:03:06 +01:00
parent 4ee3ef94d9
commit 9bee023105
1 changed files with 5 additions and 5 deletions
--- a/.github/workflows/release_impl.yml
+++ b/.github/workflows/release_impl.yml
@@ -69,9 +69,9 @@ jobs:
        shell: bash
        if: ${{ inputs.generate_changelog }}
        run: |
-          LAST_TAG=$(gh release view --json tagName -q .tagName)
+          LAST_TAG="$(gh release view --json tagName -q .tagName)"
-          LAST_TAG_COMMIT=$(git rev-parse $LAST_TAG)
+          LAST_TAG_COMMIT="$(git rev-parse $LAST_TAG)"
-          BASE_COMMIT=$(git merge-base HEAD $LAST_TAG_COMMIT)
+          BASE_COMMIT="$(git merge-base HEAD $LAST_TAG_COMMIT)"
          git-cliff "${BASE_COMMIT}..HEAD" --ignore-tags "nightly|-b"
          cat CHANGELOG.md >> "${RUNNER_TEMP}/release_notes.md"
@@ -108,10 +108,10 @@ jobs:
        if: ${{ github.event_name != 'pull_request' }}
        shell: bash
        run: |
-          gh release create ${{ inputs.version }} \
+          gh release create "${{ inputs.version }}" \
            ${{ inputs.overwrite_release && '--prerelease' || '' }} \
            --title "${{ inputs.title }}" \
-            --target $GITHUB_SHA \
+            --target "${GITHUB_SHA}" \
            ${{ inputs.draft && '--draft' || '' }} \
            --notes-file "${RUNNER_TEMP}/release_notes.md" \
            ./release_artifacts/clio_server*