fix: Do not pass ref_name directly into the release command

[OlegWock]

Fixes BLU-5298

Summary by CodeRabbit

• Chores
  • Updated release workflow configuration to improve release process automation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[linear]

BLU-5298 Do not pass ref directly into shell command in VF release pipeline

[coderabbitai]

📝 Walkthrough

Walkthrough

The release workflow was modified to pass the release tag via an environment variable instead of directly interpolating it into the shell command. The RELEASE_TAG environment variable is set to github.ref_name, and the gh release upload command now references this variable. This addresses a shell command injection vulnerability in the release pipeline.

Pre-merge checks

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title clearly describes the main change: converting direct ref_name interpolation to an environment variable to prevent template injection.
Linked Issues check	✅ Passed	The PR addresses BLU-5298 by replacing direct shell interpolation of github.ref_name with an environment variable, preventing workflow template injection.
Out of Scope Changes check	✅ Passed	All changes in release.yml are scoped to fixing the template injection vulnerability; no unrelated modifications present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1c68999 and 5502b57.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: build-and-test / build-vegafusion-python-linux-64
• GitHub Check: build-and-test / check-vegafusion-python
• GitHub Check: build-and-test / check-rust
• GitHub Check: build-and-test / test-rust

🔇 Additional comments (1)

.github/workflows/release.yml (1)

33-38: Security fix looks good — env var properly isolates the ref from shell injection.

Moving github.ref_name to an environment variable and quoting it in the shell command ("$RELEASE_TAG") prevents command injection if the ref contains shell metacharacters. This is the right approach for passing potentially untrusted input to shell commands in CI/CD.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}