From 785ab3ad1f897ae7f88b6880e78680a694e6fcb6 Mon Sep 17 00:00:00 2001
From: RAprogramm <andrey.rozanov.vl@gmail.com>
Date: Sun, 19 Oct 2025 10:38:15 +0700
Subject: [PATCH] #41 fix: checkout tested commit in auto-release workflow

- Add ref: github.event.workflow_run.head_sha to checkout
- Ensures release is built from exact commit that passed CI
- Prevents releasing untested code if new commits land on main

This fixes CodeQL P1 security alert: workflow was checking out
current main HEAD instead of the commit that actually passed CI.
If another commit landed between CI success and release run,
untested code could be released.

Now workflow checks out the exact SHA that triggered it via
workflow_run event, ensuring only tested code is released.
---
 .github/workflows/auto-release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index c6906de..3dc280d 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -22,6 +22,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          ref: ${{ github.event.workflow_run.head_sha }}
           fetch-depth: 0
 
       - name: Install dependencies