From f7cb08189a61dc7a3af1e02571413b3ee9e22b42 Mon Sep 17 00:00:00 2001
From: Trung Lai <t@trung.run>
Date: Sun, 31 May 2026 07:25:18 +0700
Subject: [PATCH] fix(release): use env var to prevent shell injection in Save
 Published Packages step

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 20926ece..5a3f0d7b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,9 +31,9 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Save Published Packages
         if: steps.create-release-pr.outputs.published == 'true'
-        run: |
-          echo '${{steps.create-release-pr.outputs.publishedPackages}}' \
-            > ${{ github.workspace }}/published-packages.json
+        env:
+          PUBLISHED_PACKAGES: ${{ steps.create-release-pr.outputs.publishedPackages }}
+        run: echo "$PUBLISHED_PACKAGES" > ${{ github.workspace }}/published-packages.json
       - name: Upload Published Packages
         if: steps.create-release-pr.outputs.published == 'true'
         uses: actions/upload-artifact@v4