fix: use env in steps instead of inputs in bash code

[ruzickap]

Fixing semgrep issue:

$ semgrep .

┌──── ○○○ ────┐
│ Semgrep CLI │
└─────────────┘

cursor .
/opt/homebrew/Cellar/semgrep/1.144.0/libexec/lib/python3.14/site-packages/glom/matching.py:797: SyntaxWarning: "\ " is an invalid escape sequence. Such sequences will not work in the future. Did you mean "\\ "? A raw string is also an option.
  |\ Spec: Or('a', 'e', 'i', 'o', 'u')
Scanning 17 files (only git-tracked) with:

✔ Semgrep OSS
  ✔ Basic security coverage for first-party code vulnerabilities.

✘ Semgrep Code (SAST)
  ✘ Find and fix vulnerabilities in the code you write with advanced scanning and expert security rules.

✘ Semgrep Supply Chain (SCA)
  ✘ Find and fix the reachable vulnerabilities in your OSS dependencies.

💎 Get started with all Semgrep products via `semgrep login`.
✨ Learn more at https://sg.run/cloud.

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00


┌────────────────┐
│ 1 Code Finding │
└────────────────┘

    .github/workflows/release.yaml
   ❯❯❱ yaml.github-actions.security.run-shell-injection.run-shell-injection
          Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
          attacker to inject their own code into the runner. This would allow them to steal secrets and code.
          `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
          an intermediate environment variable with `env:` to store the data and use the environment variable
          in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
          Details: https://sg.run/pkzk

           34┆ run: |
           35┆   git tag --delete ${{ inputs.tag }}  || true
           36┆   git push --delete origin ${{ inputs.tag }} || true
           37┆   git tag -a ${{ inputs.tag }} -m 'Retag ${{ inputs.tag }}'
           38┆   git push origin ${{ inputs.tag }}



┌──────────────┐
│ Scan Summary │
└──────────────┘
✅ Scan completed successfully.
 • Findings: 1 (1 blocking)
 • Rules run: 321
 • Targets scanned: 17
 • Parsed lines: ~99.6%
 • Scan was limited to files tracked by git
 • For a detailed list of skipped files and lines, run semgrep with the --verbose flag
Ran 321 rules on 17 files: 1 finding.
💎 Missed out on 1390 pro rules since you aren't logged in!
⚡ Supercharge Semgrep OSS when you create a free account at https://sg.run/rules.

Summary by CodeRabbit

• Chores
  • Enhanced release workflow tag handling for improved robustness in the CI/CD pipeline.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The release workflow refactors tag handling by extracting the input tag value into an environment variable, then consistently using the shell variable reference throughout all git operations instead of direct template syntax.

Changes

Cohort / File(s)	Summary
Workflow tag variable refactoring \.github/workflows/release\.yaml	Extracts inputs.tag into an environment variable TAG; all git operations (delete, push delete, create annotated tag, push tag) now reference "$TAG" instead of "${{ inputs.tag }}" with consistent quoting applied.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Single configuration file with a straightforward variable extraction pattern applied consistently across git commands
• No logic changes or conditional flow modifications

Poem

🐰 A tag by any other name flows just as true,
We've bundled it up in a variable, shiny and new,
No more template syntax scattered about—
Just $TAG all the way, without a doubt! 🏷️

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: refactoring to use environment variables instead of direct input references in bash code within workflow steps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ccb9ad9 and 1066761.

📒 Files selected for processing (1)

• .github/workflows/release.yaml (1 hunks)

🔇 Additional comments (1)

.github/workflows/release.yaml (1)

33-40: Excellent security and best-practice improvement.

The refactoring to use an environment variable (TAG) instead of direct template syntax (${{ inputs.tag }}) in bash is a solid upgrade. This pattern:

1. Separates GitHub Actions templating from shell execution, reducing injection risk
2. Improves readability by making variable origins explicit
3. Enables proper shell quoting of all references
4. Aligns with bash best practices

The conditional guard (github.event.inputs.tag != ''), error handling (|| true), and quoting of all variable references are all correct.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[shenxianpeng]

Thanks!