From fb2dcd36d30e0cd0b8dd096e253110481080146a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastian=20Echterh=C3=B6lter?=
 <bastian.echterhoelter@sap.com>
Date: Tue, 7 Apr 2026 10:52:07 +0200
Subject: [PATCH] fix: prevent command injection via version input in release
 workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pass inputs.version through an environment variable instead of
interpolating it directly into the shell script, avoiding injection
via crafted workflow_dispatch input values.

Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>
On-behalf-of: @SAP <bastian.echterhoelter@sap.com>
---
 .github/workflows/release-openmfp.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-openmfp.yml b/.github/workflows/release-openmfp.yml
index 6360983..ba21189 100644
--- a/.github/workflows/release-openmfp.yml
+++ b/.github/workflows/release-openmfp.yml
@@ -23,10 +23,12 @@ jobs:
             portal-ui-lib
             portal-server-lib
       - name: Release portal-ui-lib
-        run: gh workflow run release.yml --repo openmfp/portal-ui-lib --field version="${{ inputs.version }}"
+        run: gh workflow run release.yml --repo openmfp/portal-ui-lib --field version="$VERSION"
         env:
+          VERSION: ${{ inputs.version }}
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
       - name: Release portal-server-lib
-        run: gh workflow run release.yml --repo openmfp/portal-server-lib --field version="${{ inputs.version }}"
+        run: gh workflow run release.yml --repo openmfp/portal-server-lib --field version="$VERSION"
         env:
+          VERSION: ${{ inputs.version }}
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}