security: fix template injection and credential persistence issues

blink-so[bot] · matifali · blink-so[bot] · commit d73ff08a32dc · 2025-08-23T19:48:31.000Z
- Add persist-credentials: false to checkout step to prevent credential leakage
- Use environment variables instead of direct template expansion in shell commands
- This prevents potential code injection attacks via malicious tag names

Fixes identified by zizmor security scanner:
- artipacked: credential persistence through GitHub Actions artifacts
- template-injection: code injection via template expansion

Co-authored-by: matifali &lt;matifali@users.noreply.github.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,6 +19,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0  # Fetch full history for changelog generation
+          persist-credentials: false
       
       - name: Extract tag information
         id: tag_info
@@ -44,11 +45,11 @@ jobs:
       
       - name: Find previous tag
         id: prev_tag
+        env:
+          NAMESPACE: ${{ steps.tag_info.outputs.namespace }}
+          MODULE: ${{ steps.tag_info.outputs.module }}
+          CURRENT_TAG: ${{ steps.tag_info.outputs.tag }}
         run: |
-          NAMESPACE="${{ steps.tag_info.outputs.namespace }}"
-          MODULE="${{ steps.tag_info.outputs.module }}"
-          CURRENT_TAG="${{ steps.tag_info.outputs.tag }}"
-          
           # Find the previous tag for this specific module
           PREV_TAG=$(git tag -l "release/$NAMESPACE/$MODULE/v*" | grep -v "$CURRENT_TAG" | sort -V | tail -1)
           
@@ -62,13 +63,13 @@ jobs:
       
       - name: Generate changelog
         id: changelog
+        env:
+          NAMESPACE: ${{ steps.tag_info.outputs.namespace }}
+          MODULE: ${{ steps.tag_info.outputs.module }}
+          MODULE_PATH: ${{ steps.tag_info.outputs.module_path }}
+          PREV_TAG: ${{ steps.prev_tag.outputs.prev_tag }}
+          CURRENT_TAG: ${{ steps.tag_info.outputs.tag }}
         run: |
-          NAMESPACE="${{ steps.tag_info.outputs.namespace }}"
-          MODULE="${{ steps.tag_info.outputs.module }}"
-          MODULE_PATH="${{ steps.tag_info.outputs.module_path }}"
-          PREV_TAG="${{ steps.prev_tag.outputs.prev_tag }}"
-          CURRENT_TAG="${{ steps.tag_info.outputs.tag }}"
-          
           echo "Generating changelog for $MODULE_PATH between $PREV_TAG and $CURRENT_TAG"
           
           # Get commits that affected the specific module path
@@ -128,8 +129,11 @@ jobs:
       - name: Create Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG_NAME: ${{ steps.tag_info.outputs.tag }}
+          RELEASE_TITLE: ${{ steps.tag_info.outputs.release_title }}
+          CHANGELOG: ${{ steps.changelog.outputs.changelog }}
         run: |
-          gh release create "${{ steps.tag_info.outputs.tag }}" \
-            --title "${{ steps.tag_info.outputs.release_title }}" \
-            --notes "${{ steps.changelog.outputs.changelog }}" \
+          gh release create "$TAG_NAME" \
+            --title "$RELEASE_TITLE" \
+            --notes "$CHANGELOG" \
             --latest
