Merge ac88761c73 into ce7b7612ae

fix(security): harden GitHub Actions workflows against expression injection (#773 )
Move `${{ }}` expressions from `run:` blocks into step-level `env:` blocks, then reference them as properly-quoted shell variables. Part of cloudnative-pg/cloudnative-pg#10113 Assisted-by: Claude Opus 4.6 Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
2026-03-09 20:22:20 +01:00 · 2026-03-06 10:47:39 +01:00 · 2026-03-06 10:37:54 +01:00
1 changed files with 4 additions and 2 deletions
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@ -51,10 +51,12 @@ jobs:
      # We use a GitHub token with write permissions to create the release,
      # otherwise we won't be able to trigger a new run when pushing on main.
      - name: Run release-please
+        env:
+          REPO_URL: ${{ github.repository }}
        run: |
          npx release-please release-pr \
            --token="${{ secrets.REPO_PAT }}" \
-            --repo-url="${{ github.repository }}"
+            --repo-url="${REPO_URL}"
          npx release-please github-release \
            --token="${{ secrets.REPO_PAT }}" \
-            --repo-url="${{ github.repository }}"
+            --repo-url="${REPO_URL}"
Author	SHA1	Message	Date
renovate[bot]	5180b19ab9	Merge `ac88761c73` into `ce7b7612ae`	2026-03-06 10:47:39 +01:00
Marco Nenciarini	ce7b7612ae	fix(security): harden GitHub Actions workflows against expression injection (#773 ) Some checks failed release-please / release-please (push) Failing after 3s Details Move `${{ }}` expressions from `run:` blocks into step-level `env:` blocks, then reference them as properly-quoted shell variables. Part of cloudnative-pg/cloudnative-pg#10113 Assisted-by: Claude Opus 4.6 Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>	2026-03-06 10:37:54 +01:00