From dd0207f4d82ce6015bfa069877ad7c2860455982 Mon Sep 17 00:00:00 2001
From: lloyd <110528100+lloyd-c137@users.noreply.github.com>
Date: Tue, 12 May 2026 18:04:21 +0800
Subject: [PATCH] fix: shell injection safety via github.ref_name in publish
 workflow (#10327)

Co-authored-by: lloyd-c137 <lloyd@lloydev.com>
---
 .github/workflows/publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 1aa5ea80c3ad..ceab37963b54 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -41,7 +41,7 @@ jobs:
         run: pnpm build
 
       - name: Publish to npm
-        run: npm i -g npm@^11.5.2 && pnpm run publish-ci ${{ github.ref_name }}
+        run: npm i -g npm@^11.5.2 && pnpm run publish-ci "${{ github.ref_name }}"
 
       - name: Generate Changelog
         run: npx changelogithub