longieirl · longieirl · May 4, 2026 · May 4, 2026 · May 4, 2026
@@ -371,9 +371,11 @@ jobs:
           cache-to: type=gha,mode=max
 
       - name: Smoke-test image
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
           docker run --rm \
-            bankstatementsprocessor:pr-${{ github.event.pull_request.number }} \
+            "bankstatementsprocessor:pr-${PR_NUMBER}" \
             python -c "import bankstatements_free; import bankstatements_core; print('imports OK')"
 
   # ---------------------------------------------------------------------------

@@ -27,8 +27,9 @@ jobs:
           echo "Version from tag: ${TAG_VERSION}"
 
       - name: Verify version consistency
+        env:
+          TAG_VERSION: ${{ steps.get-version.outputs.version }}
         run: |
-          TAG_VERSION=${{ steps.get-version.outputs.version }}
           CODE_VERSION=$(grep '__version__ = ' packages/parser-core/src/bankstatements_core/__version__.py | cut -d'"' -f2)
           TOML_VERSION=$(grep '^version = ' packages/parser-core/pyproject.toml | cut -d'"' -f2)
 
@@ -68,10 +69,12 @@ jobs:
 
       - name: Extract metadata
         id: meta
+        env:
+          RELEASE_VERSION: ${{ needs.validate-version.outputs.version }}
         run: |
-          VERSION=${{ needs.validate-version.outputs.version }}
-          MAJOR=$(echo ${VERSION} | cut -d. -f1)
-          MINOR=$(echo ${VERSION} | cut -d. -f1-2)
+          VERSION="${RELEASE_VERSION}"
+          MAJOR=$(echo "${VERSION}" | cut -d. -f1)
+          MINOR=$(echo "${VERSION}" | cut -d. -f1-2)
           BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
           VCS_REF=$(git rev-parse --short HEAD)
 
@@ -103,9 +106,11 @@ jobs:
           cache-to: type=gha,mode=max
 
       - name: Verify image
+        env:
+          RELEASE_VERSION: ${{ steps.meta.outputs.version }}
         run: |
-          docker pull ghcr.io/longieirl/bankstatements:${{ steps.meta.outputs.version }}
-          docker inspect ghcr.io/longieirl/bankstatements:${{ steps.meta.outputs.version }} | jq '.[0].Config.Labels'
+          docker pull "ghcr.io/longieirl/bankstatements:${RELEASE_VERSION}"
+          docker inspect "ghcr.io/longieirl/bankstatements:${RELEASE_VERSION}" | jq '.[0].Config.Labels'
 
       - name: Run Trivy vulnerability scanner on release
         uses: aquasecurity/trivy-action@master
@@ -141,8 +146,10 @@ jobs:
 
       - name: Extract changelog for version
         id: changelog
+        env:
+          RELEASE_VERSION: ${{ needs.validate-version.outputs.version }}
         run: |
-          VERSION=${{ needs.validate-version.outputs.version }}
+          VERSION="${RELEASE_VERSION}"
 
           # Extract changelog section for this version
           CHANGELOG=$(awk "/## \[${VERSION}\]/,/## \[/{if(/## \[${VERSION}\]/)p=1;else if(/## \[/)p=0;if(p)print}" CHANGELOG.md | tail -n +2)
@@ -167,16 +174,18 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Release summary
+        env:
+          RELEASE_VERSION: ${{ needs.validate-version.outputs.version }}
         run: |
           {
-            echo "## 🚀 Release v${{ needs.validate-version.outputs.version }}"
+            echo "## 🚀 Release v${RELEASE_VERSION}"
             echo ""
             echo "### Docker Images"
-            echo "- \`ghcr.io/longieirl/bankstatements:${{ needs.validate-version.outputs.version }}\`"
+            echo "- \`ghcr.io/longieirl/bankstatements:${RELEASE_VERSION}\`"
             echo "- \`ghcr.io/longieirl/bankstatements:latest\`"
             echo ""
             echo "### Pull Command"
             echo "\`\`\`bash"
-            echo "docker pull ghcr.io/longieirl/bankstatements:${{ needs.validate-version.outputs.version }}"
+            echo "docker pull ghcr.io/longieirl/bankstatements:${RELEASE_VERSION}"
             echo "\`\`\`"
           } >> "$GITHUB_STEP_SUMMARY"
@@ -16,10 +16,10 @@ jobs:
       - name: Add all committers if new
         env:
           GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
           # 1. Get all unique authors from the commits in this merged PR
-          PR_NUMBER=${{ github.event.pull_request.number }}
-          COMMITTERS=$(gh pr view $PR_NUMBER --json commits --jq '.commits[].author.login' | sort -u)
+          COMMITTERS=$(gh pr view "$PR_NUMBER" --json commits --jq '.commits[].author.login' | sort -u)
           # 2. Loop through each committer
           for USER in $COMMITTERS; do
             if [ "$USER" == "web-flow" ] || [ -z "$USER" ]; then continue; fi
@@ -32,8 +32,10 @@ jobs:
             fi
           done
       - name: Commit and Push
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
           git add THANKYOU.md
-          git diff --quiet --staged || (git commit -m "docs: add new contributors from PR #${{ github.event.pull_request.number }}" && git push)
+          git diff --quiet --staged || (git commit -m "docs: add new contributors from PR #${PR_NUMBER}" && git push)
@@ -11,13 +11,16 @@
 
 import argparse
 import json
+import re
 import sys
 from datetime import datetime, timedelta
 from pathlib import Path
 from typing import Any, Dict, List
 import urllib.request
 import urllib.error
 
+_PYPI_NAME_RE = re.compile(r"^[A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?$")
+
 
 def load_sbom(path: Path) -> Dict[str, Any]:
     """Load and parse an SBOM file."""
@@ -54,6 +57,8 @@ def fetch_pypi_metadata(package_name: str) -> Dict[str, Any]:
 
     Returns empty dict if package not found or error occurs.
     """
+    if not _PYPI_NAME_RE.match(package_name):
+        return {}
     try:
         url = f"https://pypi.org/pypi/{package_name}/json"
         with urllib.request.urlopen(url, timeout=5) as response: