fix(ci): Prevent command injection in ci-metadata workflow

[fix-it-felix-sentry]

Summary

This PR fixes a high-severity security vulnerability where GitHub context data was being directly interpolated into a shell script, potentially allowing command injection attacks.

Changes

• Moved github.event.pull_request.head.sha and related GitHub context expressions into an environment variable COMMIT_SHA_EXPR
• Updated the shell script to reference the environment variable with proper quoting ("$COMMIT_SHA_EXPR")
• This prevents untrusted input from being directly executed in the shell

Security Impact

Before this fix, an attacker could potentially inject malicious code through pull request metadata, which would be executed in the GitHub Actions runner with access to secrets and code.

After this fix, the GitHub context data is safely passed through an environment variable, preventing command injection.

References

• Parent ticket: https://linear.app/getsentry/issue/VULN-1328
• Child ticket: https://linear.app/getsentry/issue/JS-1972
• GitHub Actions Security Hardening
• GitHub Security Lab: Untrusted Input
• Semgrep Rule

[linear-code]

VULN-1328 Command Injection vulnerability in getsentry/sentry-javascript .github/workflows/ci-metadata.yml

[github-actions]

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

New Features ✨

Deps

• Bump mongodb-memory-server-global from 10.1.4 to 11.0.1 by dependabot in #19888
• Bump stacktrace-parser from 0.1.10 to 0.1.11 by dependabot in #19887

Bug Fixes 🐛

• (ci) Prevent command injection in ci-metadata workflow by fix-it-felix-sentry[bot] in #19899

• (core) Return same value from startSpan as callback returns by s1gr1d in #19300
• (deps) Bump socket.io-parser to 4.2.6 to fix CVE-2026-33151 by chargome in #19880
• (nestjs) Add node to nest metadata by chargome in #19875
• (serverless) Add node to metadata by nicohrubec in #19878

Internal Changes 🔧

• (astro) Re-enable server island tracing e2e test in Astro 6 by Lms24 in #19872
• (lint) Resolve oxlint warnings by isaacs in #19893
• (node-integration-tests) Remove unnecessary file-type dependency by Lms24 in #19824

---

_{🤖 This preview updates automatically when you update the PR.}

[github-actions]

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path	Size	% Change	Change
@sentry/browser	25.69 kB	+0.2%	+49 B 🔺
@sentry/browser - with treeshaking flags	24.17 kB	+0.14%	+33 B 🔺
@sentry/browser (incl. Tracing)	42.67 kB	+0.13%	+54 B 🔺
@sentry/browser (incl. Tracing, Profiling)	47.33 kB	+0.12%	+55 B 🔺
@sentry/browser (incl. Tracing, Replay)	81.48 kB	+0.08%	+57 B 🔺
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	71.06 kB	+0.1%	+69 B 🔺
@sentry/browser (incl. Tracing, Replay with Canvas)	86.17 kB	+0.06%	+50 B 🔺
@sentry/browser (incl. Tracing, Replay, Feedback)	98.41 kB	+0.04%	+36 B 🔺
@sentry/browser (incl. Feedback)	42.48 kB	+0.08%	+30 B 🔺
@sentry/browser (incl. sendFeedback)	30.35 kB	+0.15%	+43 B 🔺
@sentry/browser (incl. FeedbackAsync)	35.4 kB	+0.12%	+39 B 🔺
@sentry/browser (incl. Metrics)	26.96 kB	+0.15%	+38 B 🔺
@sentry/browser (incl. Logs)	27.1 kB	+0.12%	+32 B 🔺
@sentry/browser (incl. Metrics & Logs)	27.78 kB	+0.15%	+39 B 🔺
@sentry/react	27.45 kB	+0.22%	+58 B 🔺
@sentry/react (incl. Tracing)	45.01 kB	+0.14%	+60 B 🔺
@sentry/vue	30.13 kB	+0.16%	+46 B 🔺
@sentry/vue (incl. Tracing)	44.52 kB	+0.09%	+39 B 🔺
@sentry/svelte	25.7 kB	+0.16%	+40 B 🔺
CDN Bundle	28.35 kB	+0.27%	+75 B 🔺
CDN Bundle (incl. Tracing)	43.57 kB	+0.15%	+62 B 🔺
CDN Bundle (incl. Logs, Metrics)	29.22 kB	+0.27%	+77 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics)	44.43 kB	+0.17%	+75 B 🔺
CDN Bundle (incl. Replay, Logs, Metrics)	68.29 kB	+0.13%	+85 B 🔺
CDN Bundle (incl. Tracing, Replay)	80.41 kB	+0.1%	+73 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	81.31 kB	+0.1%	+76 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback)	85.97 kB	+0.12%	+103 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	86.86 kB	+0.1%	+86 B 🔺
CDN Bundle - uncompressed	82.7 kB	+0.1%	+77 B 🔺
CDN Bundle (incl. Tracing) - uncompressed	128.62 kB	+0.05%	+64 B 🔺
CDN Bundle (incl. Logs, Metrics) - uncompressed	85.57 kB	+0.1%	+77 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	131.49 kB	+0.05%	+64 B 🔺
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	209.22 kB	+0.05%	+102 B 🔺
CDN Bundle (incl. Tracing, Replay) - uncompressed	245.5 kB	+0.04%	+89 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	248.35 kB	+0.04%	+89 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	258.41 kB	+0.04%	+89 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	261.26 kB	+0.04%	+89 B 🔺
@sentry/nextjs (client)	47.4 kB	+0.08%	+37 B 🔺
@sentry/sveltekit (client)	43.12 kB	+0.12%	+51 B 🔺
@sentry/node-core	56.42 kB	+0.13%	+73 B 🔺
@sentry/node	173.37 kB	+0.13%	+213 B 🔺
@sentry/node - without tracing	96.43 kB	+0.1%	+87 B 🔺
@sentry/aws-serverless	113.44 kB	+0.09%	+102 B 🔺

View base workflow run

[github-actions]

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario	Requests/s	% of Baseline	Prev. Requests/s	Change %
GET Baseline	11,109	-	9,428	+18%
GET With Sentry	1,949	18%	1,746	+12%
GET With Sentry (error only)	7,372	66%	6,190	+19%
POST Baseline	1,178	-	1,217	-3%
POST With Sentry	604	51%	592	+2%
POST With Sentry (error only)	1,040	88%	1,059	-2%
MYSQL Baseline	3,964	-	3,297	+20%
MYSQL With Sentry	565	14%	480	+18%
MYSQL With Sentry (error only)	3,250	82%	2,670	+22%

View base workflow run