From d77dab957bda1795d0ebb1e0b47ace54374ba4df Mon Sep 17 00:00:00 2001
From: gram-signal <84339875+gram-signal@users.noreply.github.com>
Date: Wed, 15 Apr 2026 13:44:31 -0700
Subject: [PATCH] Secure reference to ref_name.

---
 .github/workflows/push-lambda.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/push-lambda.yml b/.github/workflows/push-lambda.yml
index d572c71..63125e2 100644
--- a/.github/workflows/push-lambda.yml
+++ b/.github/workflows/push-lambda.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+env:
+  REF_NAME: ${{ github.ref_name }}
+
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
@@ -35,8 +38,8 @@ jobs:
 
       - name: Build and lambda jar
         working-directory: filter-cds-updates
-        run: ../mvnw -e -B verify -Djgitver.use-version=${{ github.ref_name }}
+        run: ../mvnw -e -B verify -Djgitver.use-version="${REF_NAME}"
 
       - name: Upload artifact to S3
         working-directory: filter-cds-updates
-        run: aws s3 cp target/filter-cds-updates-lambda-${{ github.ref_name }}.jar s3://${{ vars.S3_BUCKET }}/${{ vars.S3_BUCKET_KEY }}/
+        run: aws s3 cp "target/filter-cds-updates-lambda-${REF_NAME}.jar" s3://${{ vars.S3_BUCKET }}/${{ vars.S3_BUCKET_KEY }}/