Fix shell injection vulnerability in release workflow (ENG-6554)

[fix-it-felix-sentry]

Summary

This PR fixes a high-severity shell injection vulnerability in the GitHub Actions release workflow.

Problem

The workflow was using direct interpolation of GitHub context data (${{ github.event_name }} and ${{ github.event.inputs.version }}) in shell scripts, which could allow an attacker to inject malicious code through user-controlled input.

Solution

• Added an env: section to set environment variables GH_EVENT_NAME and GH_INPUT_VERSION
• Updated the shell script to reference these environment variables with proper quoting
• This prevents untrusted user data from being executed as code

Testing

The workflow file syntax is valid and follows GitHub Actions best practices for security hardening.

References

• Child ticket: https://linear.app/getsentry/issue/ENG-6554
• Parent ticket: https://linear.app/getsentry/issue/VULN-1163
• Semgrep rule: https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection
• GitHub security docs: https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections

[linear]

ENG-6554 Command Injection vulnerability in getsentry/XcodeBuildMCP .github/workflows/release.yml

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/getsentry/XcodeBuildMCP/xcodebuildmcp@229

commit: a4c6513

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}