fix: Prevent shell injection in GitHub Actions workflow

fix-it-felix-sentry[bot] · claude · fix-it-felix-sentry[bot] · commit fa99fca8a121 · 2026-05-03T21:29:52.000Z
Fix shell injection vulnerability in e2e-v2.yml by using environment
variables instead of direct interpolation of github.ref context data.

The github.ref value is now passed through an intermediate environment
variable (REF) and accessed with double-quotes in the script to prevent
potential code injection attacks.

Co-Authored-By: Claude Sonnet 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/e2e-v2.yml b/.github/workflows/e2e-v2.yml
@@ -291,8 +291,10 @@ jobs:
 
       - name: Sentry Release
         if: ${{ steps.platform-check.outputs.skip != 'true' }}
+        env:
+          REF: ${{ github.ref }}
         run: |
-          SENTRY_RELEASE_CANDIDATE=$(echo 'e2e/${{ github.ref }}' | perl -pe 's/\//-/g')
+          SENTRY_RELEASE_CANDIDATE=$(echo "e2e/$REF" | perl -pe 's/\//-/g')
           echo "SENTRY_RELEASE=$SENTRY_RELEASE_CANDIDATE" >> $GITHUB_ENV
 
       - name: Sentry Dist
