From 6727113b2b69cfc5b8c91898d671ba5e7dc74ba6 Mon Sep 17 00:00:00 2001
From: "Jay R. Wren" <jay.wren@slack-corp.com>
Date: Mon, 6 Apr 2026 12:24:28 -0400
Subject: [PATCH] gh workflow release: protect from ref_name attack (#1650)

It is not likely, but better to be safe.
---
 .github/workflows/release.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9ce1d5e3..a5e8d397 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -209,10 +209,11 @@ jobs:
         id: create_release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REF_NAME: ${{ github.ref_name }}
         run: |
           cd artifacts
           gh release create \
             --verify-tag \
-            --title "Release ${{ github.ref_name }}" \
-            "${{ github.ref_name }}" \
+            --title "Release ${GITHUB_REF_NAME}" \
+            "${GITHUB_REF_NAME}" \
             SHASUM256.txt *-latest/*.zip *-latest/*.tar.gz