From a15e2dcd07a140c1933521cd18311024b3b597fa Mon Sep 17 00:00:00 2001
From: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Date: Tue, 3 Mar 2026 18:25:22 +0100
Subject: [PATCH] fix(security): harden GitHub Actions workflows against
 expression injection

Move ${{ }} expressions from run: blocks into step-level env: blocks,
then reference them as properly-quoted shell variables.

Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
---
 .github/workflows/release-please.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 51e6f4b9..3ea0d114 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -51,10 +51,12 @@ jobs:
       # We use a GitHub token with write permissions to create the release,
       # otherwise we won't be able to trigger a new run when pushing on main.
       - name: Run release-please
+        env:
+          REPO_URL: ${{ github.repository }}
         run: |
           npx release-please release-pr \
             --token="${{ secrets.REPO_PAT }}" \
-            --repo-url="${{ github.repository }}"
+            --repo-url="${REPO_URL}"
           npx release-please github-release \
             --token="${{ secrets.REPO_PAT }}" \
-            --repo-url="${{ github.repository }}"
+            --repo-url="${REPO_URL}"