From 559b0da0c5eb2db62059a4ce230134306b827578 Mon Sep 17 00:00:00 2001
From: "fix-it-felix-sentry[bot]"
 <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com>
Date: Sun, 26 Apr 2026 04:57:18 +0000
Subject: [PATCH] fix: prevent shell injection in sync-xcodebuildmcp-docs
 workflow

Use environment variable instead of direct interpolation of inputs.ref
to prevent potential shell injection attacks.

Fixes: https://linear.app/getsentry/issue/ENG-7519
Related: https://linear.app/getsentry/issue/VULN-1565

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .github/workflows/sync-xcodebuildmcp-docs.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/sync-xcodebuildmcp-docs.yml b/.github/workflows/sync-xcodebuildmcp-docs.yml
index 3323b7f..9c11559 100644
--- a/.github/workflows/sync-xcodebuildmcp-docs.yml
+++ b/.github/workflows/sync-xcodebuildmcp-docs.yml
@@ -43,9 +43,10 @@ jobs:
       - name: Sync manifests
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          INPUT_REF: ${{ inputs.ref }}
         run: |
-          if [ -n "${{ inputs.ref }}" ]; then
-            pnpm run docs:sync -- --ref="${{ inputs.ref }}"
+          if [ -n "$INPUT_REF" ]; then
+            pnpm run docs:sync -- --ref="$INPUT_REF"
           else
             pnpm run docs:sync
           fi