From 9065ac84305c22dfa976777b663a9148f7cfe569 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 28 Feb 2026 00:49:02 +0000
Subject: [PATCH 1/2] Initial plan


From bf6f4959f71c1f7ac158ae091cf040a4beb0b142 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 28 Feb 2026 00:51:04 +0000
Subject: [PATCH 2/2] Fix code injection vulnerability by moving release URL to
 environment variable

Co-authored-by: anoncam <46797044+anoncam@users.noreply.github.com>
---
 .github/workflows/release-with-sbom.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-with-sbom.yml b/.github/workflows/release-with-sbom.yml
index ad2e161..8c80a89 100644
--- a/.github/workflows/release-with-sbom.yml
+++ b/.github/workflows/release-with-sbom.yml
@@ -556,8 +556,9 @@ jobs:
       - name: Release complete
         env:
           RELEASE_VERSION: ${{ steps.version.outputs.version }}
+          RELEASE_URL: ${{ steps.create_release.outputs.url }}
         run: |
           echo "✅ Release process complete"
           echo "Version: v$RELEASE_VERSION"
-          echo "Release URL: ${{ steps.create_release.outputs.url }}"
+          echo "Release URL: $RELEASE_URL"
           echo "SBOM and detailed release notes published to GitHub release"