From af28743350d73893e24c873cd8bff45b4a9e726b Mon Sep 17 00:00:00 2001
From: "fix-it-felix-sentry[bot]"
 <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com>
Date: Thu, 30 Apr 2026 15:01:33 +0000
Subject: [PATCH] fix: Prevent script injection in release workflow

Use environment variables instead of direct GitHub context interpolation
in run scripts to prevent potential code injection attacks.

Fixes: https://linear.app/getsentry/issue/VULN-1609
Fixes: https://linear.app/getsentry/issue/PRO-40

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .github/workflows/release-ghcr-version-tag.yaml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release-ghcr-version-tag.yaml b/.github/workflows/release-ghcr-version-tag.yaml
index d68ad83d..c2abb292 100644
--- a/.github/workflows/release-ghcr-version-tag.yaml
+++ b/.github/workflows/release-ghcr-version-tag.yaml
@@ -16,13 +16,18 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Tag release version
+        env:
+          REF_NAME: ${{ github.ref_name }}
+          GITHUB_SHA: ${{ github.sha }}
         run: |
           docker buildx imagetools create --tag \
-           ghcr.io/getsentry/vroom:${{ github.ref_name }} \
-           ghcr.io/getsentry/vroom:${{ github.sha }}
+           ghcr.io/getsentry/vroom:"$REF_NAME" \
+           ghcr.io/getsentry/vroom:"$GITHUB_SHA"
 
       - name: Tag latest version
+        env:
+          GITHUB_SHA: ${{ github.sha }}
         run: |
           docker buildx imagetools create --tag \
            ghcr.io/getsentry/vroom:latest \
-           ghcr.io/getsentry/vroom:${{ github.sha }}
+           ghcr.io/getsentry/vroom:"$GITHUB_SHA"