From 9edaf566ba31ea5e5215d1b5bfe98d1419631277 Mon Sep 17 00:00:00 2001
From: Derrick Hammer <derrick@derrickhammer.com>
Date: Tue, 9 Jun 2026 18:14:23 +0000
Subject: [PATCH] fix: shell quote leak in release-go workflow target passing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The workflow built args via string concatenation with literal single
quotes inside: args="$args --targets '${{ inputs.targets }}'".
Since $args was unquoted on invocation, bash didn't re-process the
quotes — they passed through as literal characters to argparse,
making the target name 'onboarding' (with quotes) instead of
onboarding.

Switch to bash array (ARGS+=) with proper "${ARGS[@]}" expansion
so values pass through cleanly. Also strip quote characters in the
Python filter_targets() as defense-in-depth, and remove duplicate
--force/--no-push checks in the workflow.
---
 .github/workflows/release-go.yml | 24 +++++++++---------------
 scripts/release-go.py            |  2 +-
 2 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/release-go.yml b/.github/workflows/release-go.yml
index 5cd7d401d..e0ecae73b 100644
--- a/.github/workflows/release-go.yml
+++ b/.github/workflows/release-go.yml
@@ -63,37 +63,31 @@ jobs:
       - name: Release
         id: release
         run: |
-          args=""
+          ARGS=()
           
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
             if [ "${{ inputs.targets }}" != "all" ]; then
-              args="$args --targets '${{ inputs.targets }}'"
+              ARGS+=("--targets" "${{ inputs.targets }}")
             fi
             if [ "${{ inputs.force }}" = "true" ]; then
-              args="$args --force"
+              ARGS+=("--force")
             fi
             if [ "${{ inputs.no_push }}" = "true" ]; then
-              args="$args --no-push"
+              ARGS+=("--no-push")
             fi
             if [ "${{ inputs.verbose }}" = "true" ]; then
-              args="$args --verbose"
+              ARGS+=("--verbose")
             fi
             if [ "${{ inputs.dry_run }}" = "true" ]; then
-              args="$args --dry-run"
+              ARGS+=("--dry-run")
             fi
             if [ "${{ inputs.validate_only }}" = "true" ]; then
-              args="$args --validate-only"
-            fi
-            if [ "${{ inputs.force }}" = "true" ]; then
-              args="$args --force"
-            fi
-            if [ "${{ inputs.no_push }}" = "true" ]; then
-              args="$args --no-push"
+              ARGS+=("--validate-only")
             fi
           fi
           
-          echo "Running: python scripts/release-go.py $args"
-          python scripts/release-go.py $args
+          echo "Running: python scripts/release-go.py ${ARGS[*]}"
+          python scripts/release-go.py "${ARGS[@]}"
 
       - name: Get modified apps info
         id: get_modified_apps
diff --git a/scripts/release-go.py b/scripts/release-go.py
index e7c118334..fc781721a 100755
--- a/scripts/release-go.py
+++ b/scripts/release-go.py
@@ -878,7 +878,7 @@ def filter_targets(registry: BuildRegistry, target_filter: str) -> List[BuildTar
         logger.info(f"Available targets: {sorted(registry.targets.keys())}")
         return list(registry.targets.values())
     
-    requested_targets = [t.strip() for t in target_filter.split(",")]
+    requested_targets = [t.strip().strip('\'"') for t in target_filter.split(",")]
     filtered_targets = []
     
     for target_name in requested_targets: