From 27c3c656d87049436a4a5671d76f98c5cbdd6a61 Mon Sep 17 00:00:00 2001
From: Brandon Diaz <“BrandonLouisDiaz@gmail.com”>
Date: Mon, 16 Jun 2025 16:21:51 -0400
Subject: [PATCH 1/2] Replace shell script with actions/checkout to avoid
 injection attack vector

---
 .github/workflows/push-tag-create-release.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/push-tag-create-release.yml b/.github/workflows/push-tag-create-release.yml
index ff438e3ffc11..2d96589d985a 100644
--- a/.github/workflows/push-tag-create-release.yml
+++ b/.github/workflows/push-tag-create-release.yml
@@ -86,8 +86,11 @@ jobs:
 
       - name: Check out tag from push
         if: github.event_name == 'push'
-        run: |
-          git checkout ${{ github.ref }}
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
+        with:
+          ref: ${{ github.ref }}
+          fetch-depth: 0 # all history
+          persist-credentials: false
       - name: Check out tag from manual input
         if: github.event_name == 'workflow_dispatch'
         run: |

From 4d64153f36ea5a69bff6d6cedefee9f68952b39d Mon Sep 17 00:00:00 2001
From: Brandon Diaz <“BrandonLouisDiaz@gmail.com”>
Date: Mon, 16 Jun 2025 16:25:55 -0400
Subject: [PATCH 2/2] Also replace git checkout command for manually input
 tags, for consistency and just incase the manual input tags present another
 attack vector

---
 .github/workflows/push-tag-create-release.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/push-tag-create-release.yml b/.github/workflows/push-tag-create-release.yml
index 2d96589d985a..f853f9e03a94 100644
--- a/.github/workflows/push-tag-create-release.yml
+++ b/.github/workflows/push-tag-create-release.yml
@@ -93,8 +93,11 @@ jobs:
           persist-credentials: false
       - name: Check out tag from manual input
         if: github.event_name == 'workflow_dispatch'
-        run: |
-          git checkout refs/tags/${{ github.event.inputs.tag }}
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
+        with:
+          ref: refs/tags/${{ github.event.inputs.tag }}
+          fetch-depth: 0 # all history
+          persist-credentials: false
 
       # Generate release reports
       - name: Create release reports (manifests)