kevinjqliu opened a new pull request, #2164: URL: https://github.com/apache/iceberg-rust/pull/2164
Potential fix for [https://github.com/apache/iceberg-rust/security/code-scanning/1](https://github.com/apache/iceberg-rust/security/code-scanning/1) To fix the issue, pass `github.event.workflow_run.head_branch` into the shell as an environment variable instead of interpolating it directly in the script, and then reference only the environment variable inside the `run` block. This follows the safer pattern from the “Secure Workflow” example, where GitHub expressions are resolved into environment variables and then treated as inert data. Concretely, update the `Validate release tag format` step: - Add an `env:` section with two variables: - `DISPATCH_RELEASE_TAG: ${{ github.event.inputs.release_tag }}` - `RUN_HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}` - Replace the direct usages of `${{ github.event.inputs.release_tag }}` and `${{ github.event.workflow_run.head_branch }}` in the shell script with `$DISPATCH_RELEASE_TAG` and `$RUN_HEAD_BRANCH` respectively. This change is all within `.github/workflows/release_python.yml`, in the `validate-release-tag` job, `Validate release tag format` step. No new methods, external definitions, or imports are required. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
