From e7724f3a745ac36225305f3d17b59931b647dc6e Mon Sep 17 00:00:00 2001
From: Jan Larwig <jan@larwig.com>
Date: Thu, 12 Feb 2026 21:18:45 +0100
Subject: [PATCH] ci: ensure release branches originate from the local
 repository and reduce residual risk of command injection (#3337)

Signed-off-by: Jan Larwig <jan@larwig.com>
---
 .github/workflows/publish-release.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index d3a8115f..9f235fb6 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   publish:
-    if: github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')
+    if: github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/') && github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     outputs:
       tag: ${{ steps.tag.outputs.version }}
@@ -27,14 +27,15 @@ jobs:
         fetch-tags: true
 
     - name: Tag release
+      env:
+        BRANCH: ${{ github.event.pull_request.head.ref }}
       run: |
         # Set up github-actions[bot] user
         git config --local user.name "github-actions[bot]"
         git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
 
         # Get the version from the branch name
-        branch="${{ github.event.pull_request.head.ref }}"
-        version="${branch#release/}"
+        version="${BRANCH#release/}"
         echo ${version}
 
         # Tag and create release