From fe4945668127b522474923e08dbb719256fe6f2b Mon Sep 17 00:00:00 2001
From: Zac Farrell <zac@hotdata.dev>
Date: Wed, 27 May 2026 08:43:26 -0700
Subject: [PATCH] fix(ci): prevent template injection in release tag validation

---
 .github/workflows/release.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 084f57a..324ce40 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -23,11 +23,12 @@ jobs:
     steps:
       - name: Validate release tag format
         if: github.event_name == 'workflow_dispatch'
+        env:
+          INPUT_TAG: ${{ github.event.inputs.tag }}
         run: |
           set -euo pipefail
-          tag="${{ github.event.inputs.tag }}"
-          if [[ ! "$tag" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "tag must look like vX.Y.Z, got: $tag" >&2
+          if [[ ! "$INPUT_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "tag must look like vX.Y.Z, got: $INPUT_TAG" >&2
             exit 1
           fi