From ddbf78dae36467deafd09a7e5f8729a73e79d1d2 Mon Sep 17 00:00:00 2001
From: OnestarLee <onestar.lee@sendbird.com>
Date: Tue, 15 Jul 2025 10:08:38 +0900
Subject: [PATCH 1/2] chore: improve version handling in publish-package.yml
 for security

---
 .github/workflows/publish-package.yml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
index e15ad2d6c..f48a11eb7 100644
--- a/.github/workflows/publish-package.yml
+++ b/.github/workflows/publish-package.yml
@@ -18,8 +18,11 @@ jobs:
       - uses: actions/setup-node@v4
       - name: 'validation'
         uses: actions/github-script@v7
+        env:
+          VERSION: ${{ github.event.inputs.version }}
         with:
           script: |
+            const version = process.env.VERSION;
             const permission = await github.rest.repos.getCollaboratorPermissionLevel({
               owner: context.repo.owner,
               repo: context.repo.repo,
@@ -29,8 +32,8 @@ jobs:
               core.setFailed(`User ${context.actor} does not have write or admin permissions to this repository.`);
             }
             const currentBranch = context.ref.replace('refs/heads/', '');
-            if (currentBranch !== `release/${{ github.event.inputs.version }}`) {
-              core.setFailed(`Current branch ${currentBranch} does not match release/${{ github.event.inputs.version }}`);
+            if (currentBranch !== `release/${version}`) {
+               core.setFailed(`Branch ${currentBranch} ≠ release/${version}`);
             }
             const pullRequests = await github.rest.pulls.list({
               owner: context.repo.owner,
@@ -53,11 +56,13 @@ jobs:
       - name: 'publish to npm'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ github.event.inputs.version }}
         run: |
-          yarn lerna version ${{ github.event.inputs.version }} --yes
+          yarn lerna version "$VERSION" --yes
           yarn lerna publish from-git --yes
       - name: 'approve a pull request'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ env.PR_NUMBER }}
         run: |
-          gh pr review ${{ env.PR_NUMBER }} --approve --body "approved by automation"
+          gh pr review "$PR_NUMBER" --approve --body "approved by automation"

From c37fff7b423d177129ca47e652b5f4589f99175a Mon Sep 17 00:00:00 2001
From: OnestarLee <onestar.lee@sendbird.com>
Date: Tue, 15 Jul 2025 10:17:18 +0900
Subject: [PATCH 2/2] chore: comment out npm publish step in
 publish-package.yml

---
 .github/workflows/publish-package.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
index f48a11eb7..0f6245829 100644
--- a/.github/workflows/publish-package.yml
+++ b/.github/workflows/publish-package.yml
@@ -53,13 +53,13 @@ jobs:
           echo "//registry.npmjs.org/:_authToken=${{ secrets.npm_token }}" >> .npmrc
           git config --global user.email "sha.sdk_deployment@sendbird.com"
           git config --global user.name "sendbird-sdk-deployment"
-      - name: 'publish to npm'
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          VERSION: ${{ github.event.inputs.version }}
-        run: |
-          yarn lerna version "$VERSION" --yes
-          yarn lerna publish from-git --yes
+#      - name: 'publish to npm'
+#        env:
+#          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+#          VERSION: ${{ github.event.inputs.version }}
+#        run: |
+#          yarn lerna version "$VERSION" --yes
+#          yarn lerna publish from-git --yes
       - name: 'approve a pull request'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}