From 6c8f158ea3e172c806879f28bd451ee1f3ad814b Mon Sep 17 00:00:00 2001
From: Yuta Kasai <yuta.kasai@linecorp.com>
Date: Fri, 10 Oct 2025 14:37:24 +0900
Subject: [PATCH] NO-ISSUE Prevent command injection when creating release
 notes

---
 .github/workflows/create-draft-release.yml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/create-draft-release.yml b/.github/workflows/create-draft-release.yml
index 60120094..beb9d00f 100644
--- a/.github/workflows/create-draft-release.yml
+++ b/.github/workflows/create-draft-release.yml
@@ -106,7 +106,8 @@ jobs:
             .concat(`\n\n${footer}`);
 
             console.log(`releaseNotes (modified): ${JSON.stringify(modifiedBody, null, 2)}`);
-            core.setOutput("release_body", modifiedBody);
+            const fs = require('fs');
+            fs.writeFileSync('release-notes.txt', modifiedBody, { encoding: 'utf8' });
 
       - name: Prepare Release Title
         id: title
@@ -118,10 +119,6 @@ jobs:
           SANITIZED_TITLE="$(printf '%s' "$RAW_TITLE" | sed 's/"/\\"/g')"
           echo "sanitized_title=$SANITIZED_TITLE" >> "$GITHUB_OUTPUT"
 
-      - name: Write Release Notes to File
-        run: |
-          echo "${{ steps.generate-release-notes.outputs.release_body }}" > release-notes.txt
-
       - name: Create Draft Release
         run: |
           gh release create "${{ steps.calculate-version.outputs.new_version }}" \