Fix shell injection vulnerability in release workflow

fix-it-felix-sentry[bot] · claude · fix-it-felix-sentry[bot] · commit c67de6d3d0a2 · 2026-04-29T06:08:57.000Z
Move github.ref_name from direct interpolation to environment variable to prevent potential code injection attacks. This addresses the security finding where untrusted GitHub context data could be used to inject malicious code into the runner. Fixes: https://linear.app/getsentry/issue/VULN-1591 Fixes: https://linear.app/getsentry/issue/CCMRG-2208 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
diff --git a/.github/workflows/release-codecov-cli.yml b/.github/workflows/release-codecov-cli.yml
@@ -47,5 +47,6 @@ jobs:
       - name: Publish a message to a Pub/Sub topic
         env:
           CLOUDSDK_CORE_PROJECT: ${{ secrets.GCLOUD_UPLOADER_PROJECT_ID }}
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          gcloud pubsub topics publish ${{ secrets.GCLOUD_UPLOADER_PUBSUB_TOPIC }} --message '{"release":"'"${{ github.ref_name }}"'", "latest":true}'
+          gcloud pubsub topics publish ${{ secrets.GCLOUD_UPLOADER_PUBSUB_TOPIC }} --message '{"release":"'"$REF_NAME"'", "latest":true}'
