From f7a17bd0f8e051cc5be74ce208e814f9efde974e Mon Sep 17 00:00:00 2001
From: "fix-it-felix-sentry[bot]"
 <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com>
Date: Wed, 29 Apr 2026 03:11:15 +0000
Subject: [PATCH] fix: Prevent potential shell injection in GitHub Actions
 workflow

Use environment variables to store github context data instead of
directly interpolating them in the run script to prevent potential
shell injection attacks.

Fixes: https://linear.app/getsentry/issue/VULN-1586
Fixes: https://linear.app/getsentry/issue/ENG-7551

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .github/workflows/release-ghcr-version-tag.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-ghcr-version-tag.yml b/.github/workflows/release-ghcr-version-tag.yml
index 565f5b0b91..805547c415 100644
--- a/.github/workflows/release-ghcr-version-tag.yml
+++ b/.github/workflows/release-ghcr-version-tag.yml
@@ -16,7 +16,10 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Tag release version
+        env:
+          REF_NAME: ${{ github.ref_name }}
+          SHA: ${{ github.sha }}
         run: |
           docker buildx imagetools create \
-            -t ghcr.io/getsentry/sentry-cli:${{ github.ref_name }} \
-            ghcr.io/getsentry/sentry-cli:${{ github.sha }}
+            -t ghcr.io/getsentry/sentry-cli:"$REF_NAME" \
+            ghcr.io/getsentry/sentry-cli:"$SHA"