From 63ab3ec57e82ae863895ae2a2fc79abcb1d4336c Mon Sep 17 00:00:00 2001
From: deluan <deluan@deluan.com>
Date: Sat, 7 Feb 2026 20:15:29 -0500
Subject: [PATCH] Fix script injection and use jq for manifest updates

Use environment variables instead of direct ${{ inputs.version }}
interpolation in shell scripts to prevent script injection.
Switch from sed to jq for updating manifest.json, consistent
with how release.yml already reads the version.
---
 .github/workflows/create-release.yml | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
index 7b4f23a..a4b6deb 100644
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@@ -17,9 +17,11 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Validate version format
+              env:
+                  VERSION: ${{ inputs.version }}
               run: |
-                  if [[ ! "${{ inputs.version }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+.*$ ]]; then
-                    echo "::error::Invalid version format '${{ inputs.version }}'. Use X.X.X (e.g., 1.2.3)"
+                  if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+.*$ ]]; then
+                    echo "::error::Invalid version format '$VERSION'. Use X.X.X (e.g., 1.2.3)"
                     exit 1
                   fi
 
@@ -27,9 +29,11 @@ jobs:
               uses: actions/checkout@v5
 
             - name: Check tag does not already exist
+              env:
+                  VERSION: ${{ inputs.version }}
               run: |
-                  if git ls-remote --tags origin "refs/tags/v${{ inputs.version }}" | grep -q .; then
-                    echo "::error::Tag v${{ inputs.version }} already exists"
+                  if git ls-remote --tags origin "refs/tags/v${VERSION}" | grep -q .; then
+                    echo "::error::Tag v${VERSION} already exists"
                     exit 1
                   fi
 
@@ -42,14 +46,18 @@ jobs:
               run: go test -race ./...
 
             - name: Update manifest.json version
+              env:
+                  VERSION: ${{ inputs.version }}
               run: |
-                  sed -i 's/"version": *"[^"]*"/"version": "${{ inputs.version }}"/' manifest.json
+                  jq --arg v "$VERSION" '.version = $v' manifest.json > manifest.tmp && mv manifest.tmp manifest.json
 
             - name: Commit, tag, and push
+              env:
+                  VERSION: ${{ inputs.version }}
               run: |
                   git config user.name "github-actions[bot]"
                   git config user.email "github-actions[bot]@users.noreply.github.com"
                   git add manifest.json
-                  git commit --allow-empty -m "Release v${{ inputs.version }}"
-                  git tag "v${{ inputs.version }}"
-                  git push origin main "v${{ inputs.version }}"
+                  git commit --allow-empty -m "Release v${VERSION}"
+                  git tag "v${VERSION}"
+                  git push origin main "v${VERSION}"