From 184ae054f0d67567d5190ea9d33101a4adfd4bd3 Mon Sep 17 00:00:00 2001
From: resq-sw <engineer@resq.software>
Date: Sun, 10 May 2026 09:32:20 -0400
Subject: [PATCH] ci(api-docs): sync workflow from resq-software/docs

Sync .github/workflows/api-docs.yml from the canonical template at
automation/source-repo-templates/api-docs.dotnet.yml in
resq-software/docs.

Generated by automation/sync-templates.sh.
---
 .github/workflows/api-docs.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/api-docs.yml b/.github/workflows/api-docs.yml
index 6aadbbb..da7da87 100644
--- a/.github/workflows/api-docs.yml
+++ b/.github/workflows/api-docs.yml
@@ -68,8 +68,17 @@ jobs:
         # workflow_dispatch can pass an alternate ref via inputs.ref;
         # fall back to github.ref_name (already stripped of refs/...).
         # DOCS_REF_SLUG is branch-safe for use in PR/branch names.
+        #
+        # The ref is routed through env: instead of being inlined via
+        # ${{ }}. Inlining at template-expansion time would interpolate
+        # the raw string into the shell literal, so a tag name with a
+        # single quote (Git allows it) could break out of the quoted
+        # context. Env indirection keeps user-controlled data on the
+        # variable side of the shell parser, where it cannot escape.
+        env:
+          REF_RAW: ${{ inputs.ref || github.ref_name }}
         run: |
-          raw='${{ inputs.ref || github.ref_name }}'
+          raw="$REF_RAW"
           raw="${raw#refs/tags/}"
           raw="${raw#refs/heads/}"
           slug="${raw//\//-}"