From c67de6d3d0a2e727ff2e82dd9e6ab0c124b5bc60 Mon Sep 17 00:00:00 2001
From: "fix-it-felix-sentry[bot]"
 <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com>
Date: Wed, 29 Apr 2026 06:08:57 +0000
Subject: [PATCH] Fix shell injection vulnerability in release workflow

Move github.ref_name from direct interpolation to environment variable
to prevent potential code injection attacks. This addresses the security
finding where untrusted GitHub context data could be used to inject
malicious code into the runner.

Fixes: https://linear.app/getsentry/issue/VULN-1591
Fixes: https://linear.app/getsentry/issue/CCMRG-2208

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .github/workflows/release-codecov-cli.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-codecov-cli.yml b/.github/workflows/release-codecov-cli.yml
index a234b507..5ef177cd 100644
--- a/.github/workflows/release-codecov-cli.yml
+++ b/.github/workflows/release-codecov-cli.yml
@@ -47,5 +47,6 @@ jobs:
       - name: Publish a message to a Pub/Sub topic
         env:
           CLOUDSDK_CORE_PROJECT: ${{ secrets.GCLOUD_UPLOADER_PROJECT_ID }}
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          gcloud pubsub topics publish ${{ secrets.GCLOUD_UPLOADER_PUBSUB_TOPIC }} --message '{"release":"'"${{ github.ref_name }}"'", "latest":true}'
+          gcloud pubsub topics publish ${{ secrets.GCLOUD_UPLOADER_PUBSUB_TOPIC }} --message '{"release":"'"$REF_NAME"'", "latest":true}'