chore: prevent script injection

olivermeyer · olivermeyer · commit baf77049ee11 · 2026-04-20T16:25:39.000+02:00
diff --git a/.github/workflows/merge-release.yml b/.github/workflows/merge-release.yml
@@ -36,8 +36,9 @@ jobs:
 
       - name: Resolve release branch
         id: branch
+        env:
+          INPUT: ${{ inputs.branch }}
         run: |
-          INPUT="${{ inputs.branch }}"
           if [ -n "$INPUT" ]; then
             BRANCH="$INPUT"
           else
diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml
@@ -43,9 +43,9 @@ jobs:
 
       - name: Validate version
         id: version
+        env:
+          INPUT: ${{ inputs.version }}
         run: |
-          INPUT="${{ inputs.version }}"
-
           # Must be an explicit x.y.z semver
           if ! echo "$INPUT" | grep -qE '^\d+\.\d+\.\d+$'; then
             echo "❌ Invalid version: '$INPUT'. Must be an explicit semver like '1.3.0'."
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
@@ -35,8 +35,9 @@ jobs:
 
       - name: Resolve release branch
         id: branch
+        env:
+          INPUT: ${{ inputs.branch }}
         run: |
-          INPUT="${{ inputs.branch }}"
           if [ -n "$INPUT" ]; then
             BRANCH="$INPUT"
           else
