Potential fix for environment variable built from user-controlled sources

[derrickaw]

Potential fix for https://github.com/apache/beam/security/code-scanning/1

Use strict parsing + sanitization before writing to $GITHUB_ENV:

• Read only the first sdk_version= line from gradle.properties.
• Extract the value safely.
• Reject values containing CR/LF (prevents env-file line injection).
• Optionally validate expected version format to keep behavior aligned with intended semantics.
• Write using printf to avoid shell echo quirks.

Change only .github/workflows/beam_Publish_Beam_SDK_Snapshots.yml in the Find Beam Version step (lines around 90–92). No import/dependency changes are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

run - https://github.com/apache/beam/actions/runs/27416123769

[derrickaw]

/gemini review

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[github-actions]

Assigning reviewers:

R: @Abacn for label build.

Note: If you would like to opt out of this review, comment assign to next reviewer.

Available commands:

• stop reviewer notifications - opt out of the automated review tooling
• remind me after tests pass - tag the comment author after tests pass
• waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

The PR bot will only process comments in the main thread (not review comments).