security(gha): fix potential for shell injection (#4099)

Running these workflows is gated pretty well, but this mitigates the potential for a script injection attack by passing the input to an intermediary environment variable first. See https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#example-of-a-script-injection-attack for more details.
getsentry · Feb 26, 2025 · 07d2dce · 07d2dce
1 parent 189e4a9
commit 07d2dce
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/.github/workflows/release-comment-issues.yml b/.github/workflows/release-comment-issues.yml
@@ -17,7 +17,10 @@ jobs:
     steps:
       - name: Get version
         id: get_version
-        run: echo "version=${{ github.event.inputs.version || github.event.release.tag_name }}" >> $GITHUB_OUTPUT
+        env:
+          INPUTS_VERSION: ${{ github.event.inputs.version }}
+          RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+        run: echo "version=${$INPUTS_VERSION:-$RELEASE_TAG_NAME}" >> "$GITHUB_OUTPUT"
 
       - name: Comment on linked issues that are mentioned in release
         if: |
@@ -28,4 +31,4 @@ jobs:
         uses: getsentry/release-comment-issues-gh-action@v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
-          version: ${{ steps.get_version.outputs.version }}
+          version: ${{ steps.get_version.outputs.version }}