From 242b0272035296fb2bdf88e000f5e13ed84bf079 Mon Sep 17 00:00:00 2001
From: Ewan Harris <ewan.harris@okta.com>
Date: Mon, 9 Sep 2024 18:28:26 +0100
Subject: [PATCH] ci: fix needs for create-release and pass tag name via env

Passing via env makes it safer to read from context to avoid injection attacks
---
 .github/workflows/publish.yaml | 43 +++++++++++++++++-----------------
 1 file changed, 22 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 0729c94..27c502d 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -11,26 +11,6 @@ jobs:
   test:
     uses: ./.github/workflows/main.yaml
 
-  create-release:
-    runs-on: ubuntu-latest
-    needs: [publish-maven-central, publish-github-packages]
-    permissions:
-      contents: write
-      packages: write # publish a new github release
-    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          fetch-depth: 0
-
-      - name: Create Release
-        uses: Roang-zero1/github-create-release-action@57eb9bdce7a964e48788b9e78b5ac766cb684803 # v3.0.1
-        with:
-          version_regex: ^v[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+
-          changelog_file: CHANGELOG.md
-          create_draft: true
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
   publish:
     needs: test
     runs-on: ubuntu-latest
@@ -64,4 +44,25 @@ jobs:
       - name: Upload Release Asset
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: gh release upload ${{ github.event.release.tag_name }} ./build/distributions/*
+          TAG_NAME: ${{ github.event.release.tag_name }}
+        run: gh release upload "${{ env.TAG_NAME }}" ./build/distributions/*
+
+  create-release:
+    runs-on: ubuntu-latest
+    needs: publish
+    permissions:
+      contents: write
+      packages: write # publish a new github release
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+
+      - name: Create Release
+        uses: Roang-zero1/github-create-release-action@57eb9bdce7a964e48788b9e78b5ac766cb684803 # v3.0.1
+        with:
+          version_regex: ^v[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+
+          changelog_file: CHANGELOG.md
+          create_draft: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}