fix(ci): resolve tag from API instead of workflow_run context

[SuaveIV]

Problem

CodeQL flagged 7 critical alerts in release-arm64.yml:

• actions/untrusted-checkout — the workflow checked out code at a ref sourced from workflow_run
• actions/code-injection (×6) — ${{ env.TAG }} was populated from github.event.workflow_run.head_branch, which is attacker-controlled

An attacker could create a branch named e.g. v0.2.3; malicious-command and trigger the release workflow, injecting into the tag resolution before validation ran.

Fix

• Removes TAG from the job-level env block entirely
• Adds a dedicated resolve-tag step that sources the tag from two trusted inputs only:
  • inputs.tag for manual workflow_dispatch (privileged user input)
  • The GitHub releases API for workflow_run triggers (data the repo owns)
• Validation runs in the same step before the value is written to $GITHUB_OUTPUT
• All downstream references use ${{ steps.resolve-tag.outputs.tag }} instead of ${{ env.TAG }}

Testing

• Trigger via workflow_dispatch with a valid tag — confirm build and upload succeed
• Confirm CodeQL alerts are resolved on next scan

Summary by CodeRabbit

• Chores
  • Improved release workflow: the pipeline now reliably determines and validates the release tag early, updates all downstream steps to use that resolved tag, and provides clearer logs and error handling. No end-user functional changes.

[coderabbitai]

Warning

Rate limit exceeded

@SuaveIV has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 10 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ebacfa60-ac2a-4906-80ac-4af967374514

📥 Commits

Reviewing files that changed from the base of the PR and between bf7c427 and 6123d5f.

📒 Files selected for processing (1)

• .github/workflows/release-arm64.yml

📝 Walkthrough

Walkthrough

Introduces a "Resolve and validate tag" step in the GitHub Actions release workflow that derives a tag from input or latest release, validates it, exposes it as steps.resolve-tag.outputs.tag, and replaces prior TAG environment variable references with that output across downstream steps.

Changes

Cohort / File(s)	Summary
Tag resolution & workflow .github/workflows/release-arm64.yml	Adds a Resolve and validate tag step that computes and validates a release tag and exposes it as steps.resolve-tag.outputs.tag. Replaces prior uses of the TAG env var with the computed output across checkout ref, filenames (packaging, checksums, attestation), wait-for-release messaging, API calls, and release upload tag_name.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• security: add build provenance attestation to ARM64 release artifacts #15 — Also edits .github/workflows/release-arm64.yml, touching attestation/upload filenames and tag referencing; may conflict with tag usage changes.
• security: pin action SHAs and harden CI workflows #12 — Introduces tag-resolution/validation logic in the same workflow and replaces TAG usage with computed outputs.

Poem

🐰 I sniffed the tags in the CI night,
Resolved and validated, shining bright.
From env to output, tidy and snug,
A hoppity commit — release gave a hug! 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing tag resolution from workflow_run context with API-based resolution.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch security/arm64-release-fix

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release-arm64.yml:
- Around line 32-33: The current gh api call using "repos/${{ github.repository
}}/releases/latest" only returns published releases and can pick the wrong tag;
update the TAG assignment to call "repos/${{ github.repository }}/releases"
(which returns drafts too) and extract the appropriate tag_name (e.g., use --jq
'.[0].tag_name' or filter by draft/created_at as needed) so TAG is set from the
most recent release object including drafts; ensure you keep the same TAG
variable and replace the existing gh api invocation accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 13d38810-7011-4313-a62a-e048365de7c9

📥 Commits

Reviewing files that changed from the base of the PR and between e46f380 and f2300be.

📒 Files selected for processing (1)

• .github/workflows/release-arm64.yml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release-arm64.yml:
- Around line 32-36: The current gh api call that sets TAG by selecting
.[0].tag_name must be replaced with a lookup that matches the release whose
target commit equals the triggering run's head SHA; use
github.event.workflow_run.head_sha (or GITHUB_SHA) rather than taking the first
release. Update the TAG assignment logic (the variable TAG and the gh api call)
to query releases and filter with a --jq expression that returns the tag_name
for the release where .target_commitish (or .target_commit) ==
github.event.workflow_run.head_sha, and keep the existing error/exit path if no
matching release is found.
- Around line 29-30: The run step is directly interpolating ${{
github.event.inputs.tag }} into the shell which can cause command injection;
instead export the workflow_dispatch input as an environment variable (e.g.,
env: INPUT_TAG: ${{ github.event.inputs.tag }}) and in the script refer to the
shell variable (INPUT_TAG) when setting TAG and performing the regex check;
update the lines that set TAG (currently using ${ { github.event.inputs.tag }})
to use the shell variable (e.g., if [[ -n "$INPUT_TAG" ]]; then TAG="$INPUT_TAG"
), then proceed with the existing validation logic so the expansion happens in
the shell and is validated rather than expanded by GitHub Actions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a996b761-0f8f-4943-9236-5e3e6afc0a93

📥 Commits

Reviewing files that changed from the base of the PR and between f2300be and bf7c427.

📒 Files selected for processing (1)

• .github/workflows/release-arm64.yml