diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index f40ebe39..d55b18b4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -35,14 +35,14 @@ jobs:
       - name: Get docker tag
         id: docker_tag
         run: |
-          if [[ "${{ github.ref }}" == "refs/heads/master" ]]; then
+          if [[ "$GITHUB_REF" == "refs/heads/master" ]]; then
             echo "docker_tag=master" >> $GITHUB_OUTPUT
             yarn set-docker-tag master
           else
             TAG=$(yq '... | select(has("uses") and .uses | test("docker://ghcr.io/getsentry/action-release-image:.*")) | .uses' action.yml | awk -F':' '{print $3}')
             echo "docker_tag=$TAG" >> $GITHUB_OUTPUT
 
-            if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            if [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
               if [[ "$TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
                 echo "Error: docker_tag $TAG matching format MAJOR.MINOR.PATCH is not allowed inside pull requests."
                 echo "Please rename the docker tag in action.yml and try again."
diff --git a/action.yml b/action.yml
index 69d2f0aa..39bd07c9 100644
--- a/action.yml
+++ b/action.yml
@@ -167,7 +167,7 @@ runs:
         INPUT_WORKING_DIRECTORY: ${{ inputs.working_directory }}
         INPUT_DISABLE_TELEMETRY: ${{ inputs.disable_telemetry }}
         INPUT_DISABLE_SAFE_DIRECTORY: ${{ inputs.disable_safe_directory }}
-      uses: docker://ghcr.io/getsentry/action-release-image:ab-add-dotagents
+      uses: docker://ghcr.io/getsentry/action-release-image:fix-eng-7567-shell-injection-vulnerability
 
     # For actions running on macos or windows runners, we use a composite
     # action approach which allows us to install the arch specific sentry-cli