Merge pull request #249 from sendbird/fix/internal-security

chore: improve version handling in publish-package.yml for security

Author: OnestarLee

.github/workflows/publish-package.yml

@@ -18,8 +18,11 @@ jobs:
       - uses: actions/setup-node@v4
       - name: 'validation'
         uses: actions/github-script@v7
+        env:
+          VERSION: ${{ github.event.inputs.version }}
         with:
           script: |
+            const version = process.env.VERSION;
             const permission = await github.rest.repos.getCollaboratorPermissionLevel({
               owner: context.repo.owner,
               repo: context.repo.repo,
@@ -29,8 +32,8 @@ jobs:
               core.setFailed(`User ${context.actor} does not have write or admin permissions to this repository.`);
             }
             const currentBranch = context.ref.replace('refs/heads/', '');
-            if (currentBranch !== `release/${{ github.event.inputs.version }}`) {
-              core.setFailed(`Current branch ${currentBranch} does not match release/${{ github.event.inputs.version }}`);
+            if (currentBranch !== `release/${version}`) {
+              core.setFailed(`Current branch ${currentBranch} does not match release/${version}`);
             }
             const pullRequests = await github.rest.pulls.list({
               owner: context.repo.owner,
@@ -53,11 +56,13 @@ jobs:
       - name: 'publish to npm'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ github.event.inputs.version }}
         run: |
-          yarn lerna version ${{ github.event.inputs.version }} --yes
+          yarn lerna version "$VERSION" --yes
           yarn lerna publish from-git --yes
       - name: 'approve a pull request'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ env.PR_NUMBER }}
         run: |
-          gh pr review ${{ env.PR_NUMBER }} --approve --body "approved by automation"
+          gh pr review "$PR_NUMBER" --approve --body "approved by automation"