From fc0251e2ebd5b18941bff6db97b86e868f0916f7 Mon Sep 17 00:00:00 2001
From: Kevin Liu <kevinjqliu@users.noreply.github.com>
Date: Sun, 22 Feb 2026 18:07:44 -0800
Subject: [PATCH] Potential fix for code scanning alert no. 1: Cache Poisoning
 via low-privileged code injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/release_python.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release_python.yml b/.github/workflows/release_python.yml
index 2203271b33..f4cf4a761a 100644
--- a/.github/workflows/release_python.yml
+++ b/.github/workflows/release_python.yml
@@ -55,11 +55,14 @@ jobs:
         # Use input for workflow_dispatch, otherwise use `workflow_run.head_branch`
         # Note, `workflow_run.head_branch` does not contain `refs/tags/` prefix, just the tag name, i.e. `v0.4.0` or `v0.4.0-rc.1`
         # Valid formats: v<major>.<minor>.<patch> OR v<major>.<minor>.<patch>-rc.<release_candidate>
+        env:
+          DISPATCH_RELEASE_TAG: ${{ github.event.inputs.release_tag }}
+          RUN_HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
         run: |
           if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
-            RELEASE_TAG="${{ github.event.inputs.release_tag }}"
+            RELEASE_TAG="$DISPATCH_RELEASE_TAG"
           else
-            RELEASE_TAG="${{ github.event.workflow_run.head_branch }}"
+            RELEASE_TAG="$RUN_HEAD_BRANCH"
           fi
           echo "Validating release tag: $RELEASE_TAG"
           if [[ ! "$RELEASE_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$ ]]; then