From ad7cd7132ee6ca55592e33b91b7a50b9c866a737 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micka=C3=ABl=20Canouil?=
 <8896044+mcanouil@users.noreply.github.com>
Date: Mon, 15 Aug 2022 10:25:03 +0200
Subject: [PATCH 1/2] ci: auto tag and release on 'release vX.X.X' commit

---
 .github/workflows/release.yml | 39 +++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 .github/workflows/release.yml

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..cc2b7c4
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,39 @@
+on:
+  push:
+    branches: main
+
+name: Release
+
+jobs:
+  create_release:
+    runs-on: ubuntu-latest
+    if: startsWith(github.event.head_commit.message, 'release')
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set version from commit message
+        id: tag_id
+        run: |
+          VAR="${{ github.event.head_commit.message }}"
+          TAG="${VAR#* }"
+          echo ::set-output name=tag::"${TAG}"
+          echo "${TAG}"
+      - name: Set release name
+        id: release_id
+        run: |
+          echo ::set-output name=releasename::"${{ steps.tag_id.outputs.tag }}"
+      - name: Bump version and push tag
+        id: tag_version
+        uses: mathieudutour/github-tag-action@v6.0
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          default_bump: false
+          custom_tag: ${{ steps.tag_id.outputs.tag }}
+          tag_prefix: ""
+      - name: Create Release
+        uses: ncipollo/release-action@v1
+        with:
+          tag: ${{ steps.tag_version.outputs.new_tag }}
+          name: ${{ steps.release_id.outputs.releasename }}
+          generateReleaseNotes: true
+          allowUpdates: false
+          token: ${{ secrets.GITHUB_TOKEN }}

From d62736dbc191a6e60d173d7a0fbfc923bfad597d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micka=C3=ABl=20Canouil?=
 <8896044+mcanouil@users.noreply.github.com>
Date: Mon, 15 Aug 2022 11:04:57 +0200
Subject: [PATCH 2/2] ci: fix injection risk attack by using intermediate env

---
 .github/workflows/release.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index cc2b7c4..dc3980e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,8 +12,9 @@ jobs:
       - uses: actions/checkout@v3
       - name: Set version from commit message
         id: tag_id
+        env:
+          VAR: ${{ github.event.head_commit.message }}
         run: |
-          VAR="${{ github.event.head_commit.message }}"
           TAG="${VAR#* }"
           echo ::set-output name=tag::"${TAG}"
           echo "${TAG}"