fix(ci): prevent code injection in release-otdfctl workflow

[alkalescent]

Proposed Changes

• Fix two zizmor-flagged code injection vulnerabilities in release-otdfctl.yaml by passing github.event.release.tag_name through env: variables instead of direct template expansion in run: blocks.

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

No functional change — the workflow behaves identically, but tag name values are now injected as environment variables rather than interpolated into shell scripts.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f71dbd57-4703-47c1-a994-21c53a3d5bbb

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch otdfctl-zizmor-issues

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	194.957821ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	107.556365ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	411.608988ms
Throughput	242.95 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	41.081064765s
Average Latency	409.165047ms
Throughput	121.71 requests/second

[github-actions]

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

• examples
• otdfctl
• sdk
• service
• lib/fixtures
• tests-bdd

See the workflow run for details.

[github-actions]

X-Test Results

✅ go-pull-3308
✅ java-pull-3308
✅ go-v0.9.0
✅ js-pull-3308
✅ java-v0.9.0
✅ js-v0.9.0
test-cases-mapping-report
bats-test-results
cukes-report
opentdfplatformW9WDGW.dockerbuild
govulncheck-failure-3
govulncheck-failure-8
govulncheck-failure-1
govulncheck-failure-5
govulncheck-failure-2
govulncheck-failure-0