prevent cmd injection and pin sigstore version

JasonVranek · JasonVranek · commit 7035d41c119a · 2026-03-12T09:35:12.000-07:00
diff --git a/.github/workflows/release-gate.yml b/.github/workflows/release-gate.yml
@@ -48,9 +48,9 @@ jobs:
           fi
 
       - name: Validate version is strictly increasing
+        env:
+          NEW_VERSION: ${{ steps.version.outputs.new }}
         run: |
-          NEW_VERSION="${{ steps.version.outputs.new }}"
-
           # Get the latest tag; if none exist yet, skip the comparison
           LATEST_TAG=$(git tag --list 'v*' --sort=-version:refname | head -n1)
           if [ -z "$LATEST_TAG" ]; then
@@ -87,8 +87,9 @@ jobs:
           git config user.email "commit-boost-release-bot[bot]@users.noreply.github.com"
 
       - name: Create and push tag
+        env:
+          VERSION: ${{ steps.version.outputs.new }}
         run: |
-          VERSION="${{ steps.version.outputs.new }}"
           git tag "$VERSION" HEAD
           git push origin "$VERSION"
           # Branch fast-forwarding happens in release.yml after all artifacts
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -168,7 +168,7 @@ jobs:
           pattern: "commit-boost*"
 
       - name: Sign binaries
-        uses: sigstore/gh-action-sigstore-python@v3.2.0
+        uses: sigstore/gh-action-sigstore-python@a5caf349bc536fbef3668a10ed7f5cd309a4b53d #v3.2.0
         with:
           inputs: ./artifacts/**/*.tar.gz
 
@@ -391,4 +391,4 @@ jobs:
           token: ${{ steps.app-token.outputs.token }}
 
       - name: Delete tag
-        run: git push origin --delete ${{ github.ref_name }}
+        run: git push origin --delete ${{ github.ref_name }}
