Potential fix for https://github.com/SyntheticAutonomicMind/SAM/security/code-scanning/1

General fix: avoid interpolating ${{ ... }} expressions directly in shell command bodies when they may contain untrusted data. Instead, assign them to environment variables using env: at the step level, and then reference them using the shell’s own variable expansion syntax ($VAR). This prevents expression-time concatenation with shell syntax and reduces the risk of command injection.

Best concrete fix here:

1. In the "Extract version from workflow run" step:

   • Add an env: block that exposes github.event_name, github.event.inputs.version, and github.event.workflow_run.head_branch as environment variables (e.g., EVENT_NAME, INPUT_VERSION, HEAD_BRANCH).
   • Update the shell script to use $EVENT_NAME, $INPUT_VERSION, and $HEAD_BRANCH instead of ${{ ... }} directly in run:. This addresses the flagged injection on line 37 (head_branch) and also hardens the other uses in that step.

2. In the "Update SAM cask" step:

   • Add an env: block mapping steps.version.outputs.version, steps.hash.outputs.sha256, and steps.asset.outputs.url to environment variables (VERSION, SHA256, DMG_URL).
   • Remove the inline VERSION="...", SHA256="...", and DMG_URL="..." assignments from the script body, and just use $VERSION, $SHA256, $DMG_URL where needed (the current snippet only uses VERSION and SHA256 in echo and sed; leave DMG_URL set in env for possible future use).

3. In the "Commit and push" step:

   • Add an env: block mapping steps.version.outputs.version to VERSION.
   • Remove the inline assignment VERSION="${{ steps.version.outputs.version }}" and continue using $VERSION in the commit message.

No new methods or imports are required; only YAML changes within .github/workflows/update-homebrew-cask.yml in the shown steps.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.