Potential fix for code scanning alert no. 1: Cache Poisoning via low-privileged code injection (#2164)

kevinjqliu · github-advanced-security[bot] · blackmwk · web-flow · commit 6a01be7d4633 · 2026-02-23T17:52:37.000-08:00
Potential fix for [https://github.com/apache/iceberg-rust/security/code-scanning/1](https://github.com/apache/iceberg-rust/security/code-scanning/1) To fix the issue, pass `github.event.workflow_run.head_branch` into the shell as an environment variable instead of interpolating it directly in the script, and then reference only the environment variable inside the `run` block. This follows the safer pattern from the “Secure Workflow” example, where GitHub expressions are resolved into environment variables and then treated as inert data. Concretely, update the `Validate release tag format` step: - Add an `env:` section with two variables: - `DISPATCH_RELEASE_TAG: ${{ github.event.inputs.release_tag }}` - `RUN_HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}` - Replace the direct usages of `${{ github.event.inputs.release_tag }}` and `${{ github.event.workflow_run.head_branch }}` in the shell script with `$DISPATCH_RELEASE_TAG` and `$RUN_HEAD_BRANCH` respectively. This change is all within `.github/workflows/release_python.yml`, in the `validate-release-tag` job, `Validate release tag format` step. No new methods, external definitions, or imports are required. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ ### Tested On fork repo github action run: https://github.com/kevinjqliu/iceberg-rust/actions/runs/22290533306 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: blackmwk <liurenjie1024@outlook.com>
diff --git a/.github/workflows/release_python.yml b/.github/workflows/release_python.yml
@@ -55,11 +55,14 @@ jobs:
         # Use input for workflow_dispatch, otherwise use `workflow_run.head_branch`
         # Note, `workflow_run.head_branch` does not contain `refs/tags/` prefix, just the tag name, i.e. `v0.4.0` or `v0.4.0-rc.1`
         # Valid formats: v<major>.<minor>.<patch> OR v<major>.<minor>.<patch>-rc.<release_candidate>
+        env:
+          DISPATCH_RELEASE_TAG: ${{ github.event.inputs.release_tag }}
+          RUN_HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
         run: |
           if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
-            RELEASE_TAG="${{ github.event.inputs.release_tag }}"
+            RELEASE_TAG="$DISPATCH_RELEASE_TAG"
           else
-            RELEASE_TAG="${{ github.event.workflow_run.head_branch }}"
+            RELEASE_TAG="$RUN_HEAD_BRANCH"
           fi
           echo "Validating release tag: $RELEASE_TAG"
           if [[ ! "$RELEASE_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$ ]]; then
