From c01ef4972af5199259f0bf8b338a93e2a0ba00bb Mon Sep 17 00:00:00 2001
From: "fix-it-felix-sentry[bot]"
 <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com>
Date: Thu, 30 Apr 2026 05:29:39 +0000
Subject: [PATCH 1/2] fix: Prevent shell injection in build workflow

Use environment variables to safely handle github context data
in run steps to prevent potential code injection attacks.

Fixes https://linear.app/getsentry/issue/VULN-1601
Fixes https://linear.app/getsentry/issue/ENG-7567

Co-Authored-By: fix-it-felix-sentry[bot] <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index f40ebe39..d0fd37eb 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -34,15 +34,18 @@ jobs:
 
       - name: Get docker tag
         id: docker_tag
+        env:
+          GITHUB_REF: ${{ github.ref }}
+          GITHUB_EVENT_NAME: ${{ github.event_name }}
         run: |
-          if [[ "${{ github.ref }}" == "refs/heads/master" ]]; then
+          if [[ "$GITHUB_REF" == "refs/heads/master" ]]; then
             echo "docker_tag=master" >> $GITHUB_OUTPUT
             yarn set-docker-tag master
           else
             TAG=$(yq '... | select(has("uses") and .uses | test("docker://ghcr.io/getsentry/action-release-image:.*")) | .uses' action.yml | awk -F':' '{print $3}')
             echo "docker_tag=$TAG" >> $GITHUB_OUTPUT
 
-            if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            if [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
               if [[ "$TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
                 echo "Error: docker_tag $TAG matching format MAJOR.MINOR.PATCH is not allowed inside pull requests."
                 echo "Please rename the docker tag in action.yml and try again."

From 7dbc795fd5cd0bd5115703170c47536245b51027 Mon Sep 17 00:00:00 2001
From: Andrei Borza <andrei.borza@sentry.io>
Date: Thu, 30 Apr 2026 14:40:28 +0900
Subject: [PATCH 2/2] Use in-built env vars instead of redefining them

---
 .github/workflows/build.yml | 3 ---
 action.yml                  | 2 +-
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d0fd37eb..d55b18b4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -34,9 +34,6 @@ jobs:
 
       - name: Get docker tag
         id: docker_tag
-        env:
-          GITHUB_REF: ${{ github.ref }}
-          GITHUB_EVENT_NAME: ${{ github.event_name }}
         run: |
           if [[ "$GITHUB_REF" == "refs/heads/master" ]]; then
             echo "docker_tag=master" >> $GITHUB_OUTPUT
diff --git a/action.yml b/action.yml
index 69d2f0aa..39bd07c9 100644
--- a/action.yml
+++ b/action.yml
@@ -167,7 +167,7 @@ runs:
         INPUT_WORKING_DIRECTORY: ${{ inputs.working_directory }}
         INPUT_DISABLE_TELEMETRY: ${{ inputs.disable_telemetry }}
         INPUT_DISABLE_SAFE_DIRECTORY: ${{ inputs.disable_safe_directory }}
-      uses: docker://ghcr.io/getsentry/action-release-image:ab-add-dotagents
+      uses: docker://ghcr.io/getsentry/action-release-image:fix-eng-7567-shell-injection-vulnerability
 
     # For actions running on macos or windows runners, we use a composite
     # action approach which allows us to install the arch specific sentry-cli