From 776c89453c616fc55b2a5ba20a0eefb9b01e0ad5 Mon Sep 17 00:00:00 2001
From: stevenhorsman <steven@uk.ibm.com>
Date: Thu, 29 May 2025 14:00:17 +0100
Subject: [PATCH] workflow: Remove code injection in helm login

In theory `github.actor` could be used for code
injection, so swap it out.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
---
 .github/workflows/release.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 40310ecd47..4908f9a241 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -253,7 +253,7 @@ jobs:
       - name: Login to the OCI registries
         run: |
           echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${{ vars.QUAY_DEPLOYER_USERNAME }}" --password-stdin
-          echo "${{ github.token }}" | helm registry login ghcr.io --username "${{ github.actor }}" --password-stdin
+          echo "${{ github.token }}" | helm registry login ghcr.io --username $ --password-stdin
 
       - name: Push helm chart to the OCI registries
         run: |