fix: harden release-trigger against shell injection and fix stale docs

- Pass workflow_dispatch version input via env: instead of direct interpolation into shell script, preventing potential injection attacks - Validate version input against strict semver regex before use - Fix RELEASE-PROCESS.md Option 2 still referencing [Unreleased] section handling that no longer exists in the workflow
github · mnriem · Mar 2, 2026 · Mar 2, 2026 · Mar 2, 2026 · Mar 2, 2026
commit 88e50a10ec1b7b725641a05ca139a669c888cb06
@@ -74,8 +74,7 @@ The workflow will:
 The workflow will:
 - Use your specified version
 - Update `pyproject.toml`
-- Convert `[Unreleased]` section in CHANGELOG.md to the new version
-- Add a new empty `[Unreleased]` section
+- Update `CHANGELOG.md` by adding a new section for the release based on commits since the last tag
 - Commit changes
 - Create and push git tag
 - Trigger the release workflow automatically

@@ -27,12 +27,17 @@ jobs:
 
       - name: Determine version
         id: version
+        env:
+          INPUT_VERSION: ${{ github.event.inputs.version }}
         run: |
-          if [[ -n "${{ github.event.inputs.version }}" ]]; then
-            # Manual version specified
-            VERSION="${{ github.event.inputs.version }}"
-            # Remove 'v' prefix if present
-            VERSION=${VERSION#v}
+          if [[ -n "$INPUT_VERSION" ]]; then
+            # Manual version specified - strip optional v prefix
+            VERSION="${INPUT_VERSION#v}"
+            # Validate strict semver format to prevent injection
+            if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+              echo "Error: Invalid version format '$VERSION'. Must be X.Y.Z (e.g. 1.2.3 or v1.2.3)"
+              exit 1
+            fi
             echo "version=$VERSION" >> $GITHUB_OUTPUT
             echo "tag=v$VERSION" >> $GITHUB_OUTPUT
             echo "Using manual version: $VERSION"