From 8c2ff9e188214924f8c27d9081ab186600294785 Mon Sep 17 00:00:00 2001 From: Szymon Wlodarski Date: Mon, 2 Feb 2026 09:48:21 +0100 Subject: [PATCH] Security: Fix untrusted input vulnerability in release workflow --- .github/workflows/release.yml | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b7360c9f..f47767d5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,25 +10,17 @@ jobs: name: Publish changelog to Readme runs-on: ubuntu-latest steps: - - name: Extract release data - id: release - run: | - echo "title=${{ github.event.release.name }}" >> $GITHUB_OUTPUT - { - echo "body<> $GITHUB_OUTPUT - - name: Install jq run: sudo apt-get update && sudo apt-get install -y jq - name: Publish changelog to Readme env: README_API_KEY: ${{ secrets.README_API_KEY }} + RELEASE_TITLE: ${{ github.event.release.name }} + RELEASE_BODY: ${{ github.event.release.body }} run: | - jq -n --arg title "Java Unified SDK ${{ steps.release.outputs.title }}" \ - --arg body "${{ steps.release.outputs.body }}" \ + jq -n --arg title "Java Unified SDK $RELEASE_TITLE" \ + --arg body "$RELEASE_BODY" \ '{ title: $title, content: {