security: add version pinning and prevent command injection in bump-version workflow

Copilot · egorsmkv · Copilot · commit 2dd684e92b18 · 2025-12-21T19:39:29.000Z
Co-authored-by: egorsmkv &lt;7875085+egorsmkv@users.noreply.github.com&gt;
diff --git a/.github/workflows/bump-version.yaml b/.github/workflows/bump-version.yaml
@@ -19,10 +19,14 @@ jobs:
       - uses: Swatinem/rust-cache@v2
         with:
           key: stable
-      - uses: taiki-e/install-action@cargo-edit
+      - uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-edit
       - name: Bump version in Cargo.toml
+        env:
+          VERSION: ${{ github.event.inputs.version }}
         run: |
-          cargo set-version ${{ github.event.inputs.version }}
+          cargo set-version "$VERSION"
         shell: bash
       - name: Update Cargo.lock
         run: cargo update
