From 07d2dce5b96594b867fd0f9cfd74ca953c811c71 Mon Sep 17 00:00:00 2001
From: Matthew T <20070360+mdtro@users.noreply.github.com>
Date: Wed, 26 Feb 2025 03:01:56 -0600
Subject: [PATCH] security(gha): fix potential for shell injection (#4099)

Running these workflows is gated pretty well, but this mitigates the
potential for a script injection attack by passing the input to an
intermediary environment variable first.

See
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#example-of-a-script-injection-attack
for more details.
---
 .github/workflows/release-comment-issues.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-comment-issues.yml b/.github/workflows/release-comment-issues.yml
index d31c61dced..8870f25bc0 100644
--- a/.github/workflows/release-comment-issues.yml
+++ b/.github/workflows/release-comment-issues.yml
@@ -17,7 +17,10 @@ jobs:
     steps:
       - name: Get version
         id: get_version
-        run: echo "version=${{ github.event.inputs.version || github.event.release.tag_name }}" >> $GITHUB_OUTPUT
+        env:
+          INPUTS_VERSION: ${{ github.event.inputs.version }}
+          RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+        run: echo "version=${$INPUTS_VERSION:-$RELEASE_TAG_NAME}" >> "$GITHUB_OUTPUT"
 
       - name: Comment on linked issues that are mentioned in release
         if: |
@@ -28,4 +31,4 @@ jobs:
         uses: getsentry/release-comment-issues-gh-action@v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
-          version: ${{ steps.get_version.outputs.version }}
\ No newline at end of file
+          version: ${{ steps.get_version.outputs.version }}