From 8a93af2327daaed153446c63a5091a774aa08393 Mon Sep 17 00:00:00 2001
From: "fix-it-felix-sentry[bot]"
 <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com>
Date: Wed, 29 Apr 2026 11:45:59 +0000
Subject: [PATCH] fix(security): Prevent GitHub script injection in update-tox
 workflow

Replace direct GitHub context variable interpolation with environment
variables to prevent code injection attacks. This addresses a high
severity security finding where untrusted user input from GitHub
context could be injected into the actions/github-script execution.

Changes:
- Add env block with BRANCH_NAME, COMMIT_TITLE, DATE, and BASE_BRANCH
- Replace direct interpolation with process.env variables
- Prevents script injection vulnerability (VULN-1594)

Refs: https://linear.app/getsentry/issue/VULN-1594
Refs: https://linear.app/getsentry/issue/PY-2395

Co-Authored-By: fix-it-felix-sentry[bot] <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com>
---
 .github/workflows/update-tox.yml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/update-tox.yml b/.github/workflows/update-tox.yml
index 105377cfd2..17a853c093 100644
--- a/.github/workflows/update-tox.yml
+++ b/.github/workflows/update-tox.yml
@@ -55,11 +55,16 @@ jobs:
 
       - name: Create pull request
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        env:
+          BRANCH_NAME: ${{ steps.create-branch.outputs.branch_name }}
+          COMMIT_TITLE: ${{ steps.create-branch.outputs.commit_title }}
+          DATE: ${{ steps.create-branch.outputs.date }}
+          BASE_BRANCH: ${{ github.ref_name }}
         with:
           script: |
-            const branchName = '${{ steps.create-branch.outputs.branch_name }}';
-            const commitTitle = '${{ steps.create-branch.outputs.commit_title }}';
-            const date = '${{ steps.create-branch.outputs.date }}';
+            const branchName = process.env.BRANCH_NAME;
+            const commitTitle = process.env.COMMIT_TITLE;
+            const date = process.env.DATE;
             const prBody = `Update our test matrix with new releases of integrated frameworks and libraries.
 
             ## How it works
@@ -100,7 +105,7 @@ jobs:
                 repo: context.repo.repo,
                 title: commitTitle + ' (' + date + ')',
                 head: branchName,
-                base: '${{ github.ref_name }}',
+                base: process.env.BASE_BRANCH,
                 body: prBody,
             });