From 325ffd7bb83e51d46e083cfa0ea5e3bfeec07f54 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 19 Feb 2026 15:24:33 +0000
Subject: [PATCH 1/2] Initial plan


From 3f3f6e8faaee11970a34aee251ec7e203bcba1fe Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 19 Feb 2026 15:25:59 +0000
Subject: [PATCH 2/2] Add NAME/VERSION format validation in python-release.yml

Co-authored-by: pmalarme <686568+pmalarme@users.noreply.github.com>
---
 .github/workflows/python-release.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/python-release.yml b/.github/workflows/python-release.yml
index 17e9c14..345c3b0 100644
--- a/.github/workflows/python-release.yml
+++ b/.github/workflows/python-release.yml
@@ -57,6 +57,12 @@ jobs:
             VERSION=$(echo "$BASENAME" | cut -d- -f2)
             TAG="${NAME}-v${VERSION}"
 
+            # Validate NAME and VERSION to prevent unexpected values from flowing into git commands
+            if [[ ! "$NAME" =~ ^[a-zA-Z0-9_-]+$ ]] || [[ ! "$VERSION" =~ ^[0-9a-zA-Z._-]+$ ]]; then
+              echo "::error::Unexpected wheel name/version format in '${BASENAME}' — skipping." >&2
+              continue
+            fi
+
             # Skip if tag already exists
             if git rev-parse "refs/tags/${TAG}" >/dev/null 2>&1; then
               echo "::notice::Tag ${TAG} already exists — skipping."