sec: shell injection via github.ref_name in release-core.yml run steps

[longieirl]

Summary

Semgrep (yaml.github-actions.security.run-shell-injection) flagged two run: steps in .github/workflows/release-core.yml that interpolate ${{ github.ref_name }} directly into shell commands. A git tag with embedded shell metacharacters would be executed verbatim on the runner, allowing a tag pusher to exfiltrate secrets.

Affected locations

Line	Expression	Risk
44	TAG="${{ github.ref_name }}"	github.ref_name is attacker-controlled via tag name
141	"ref": "${{ github.ref_name }}"	Same value interpolated inside a JSON string in a curl body

Note: ${{ secrets.DOWNSTREAM_DISPATCH_TOKEN }} at line 135 is not user-controlled, but should still be moved to env: as best practice.

Fix

Move github context values to env: and reference them as shell environment variables:

- name: Extract and validate version
  id: version
  env:
    TAG: ${{ github.ref_name }}
  run: |
    TAG_VERSION="${TAG#core-v}"
    ...

- name: Dispatch core-released event to private repo
  env:
    DISPATCH_TOKEN: ${{ secrets.DOWNSTREAM_DISPATCH_TOKEN }}
    CORE_VERSION: ${{ needs.validate.outputs.version }}
    REF_NAME: ${{ github.ref_name }}
  run: |
    curl -fsSL -X POST \
      -H "Authorization: Bearer $DISPATCH_TOKEN" \
      ... \
      -d "{\"event_type\":\"core-released\",\"client_payload\":{\"core_version\":\"$CORE_VERSION\",\"ref\":\"$REF_NAME\"}}"

References

• GitHub Security Lab — Keeping your GitHub Actions and workflows secure
• Semgrep rule: yaml.github-actions.security.run-shell-injection
• Detected by: Semgrep OSS static analysis (p/github-actions)