From b2c1b6ee923019f7b35d9b8d77977c33d93be67d Mon Sep 17 00:00:00 2001 From: Natalie Bunduwongse Date: Mon, 18 May 2026 12:48:52 +1200 Subject: [PATCH 1/2] fix: use GitHub API to create tags, supporting audience/vX.Y.Z format negz/create-tag@v1 validates semver strictly and rejects the audience/vX.Y.Z tag name format due to the slash prefix. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/tag.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml index f48f3c9e..9047cedc 100644 --- a/.github/workflows/tag.yml +++ b/.github/workflows/tag.yml @@ -46,8 +46,11 @@ jobs: fi - name: Create Tag - uses: negz/create-tag@v1 - with: - version: "${{ env.TAG }}" - message: "Version ${{ env.TAG }}" - token: ${{ secrets.GITHUB_TOKEN }} + run: | + SHA=$(git rev-parse HEAD) + gh api /repos/${{ github.repository }}/git/refs \ + --method POST \ + -f ref="refs/tags/${{ env.TAG }}" \ + -f sha="$SHA" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 5ae826fe1677c1badc2bfd5460e2b348278da9b7 Mon Sep 17 00:00:00 2001 From: Natalie Bunduwongse Date: Mon, 18 May 2026 12:54:58 +1200 Subject: [PATCH 2/2] fix: avoid shell injection by passing TAG as env var not inline expression Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/tag.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml index 9047cedc..70d31f34 100644 --- a/.github/workflows/tag.yml +++ b/.github/workflows/tag.yml @@ -50,7 +50,8 @@ jobs: SHA=$(git rev-parse HEAD) gh api /repos/${{ github.repository }}/git/refs \ --method POST \ - -f ref="refs/tags/${{ env.TAG }}" \ + -f ref="refs/tags/${TAG}" \ -f sha="$SHA" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TAG: ${{ env.TAG }}