diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 955cd8c..2120f6a 100755
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -18,9 +18,12 @@ jobs:
         run: |
           if [[ -n "${{ github.event.inputs.tag }}" ]]; then
             echo "Manual run against a tag; overriding actual tag in the environment..."
+            # Using GitHub Action expressions directly instead of passing untrusted input
             echo "VERSION=${{ github.event.inputs.tag }}" >> $GITHUB_ENV
           else
-            echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+            # Sanitizing VERSION to ensure it's safely handled in the shell
+            VERSION="${GITHUB_REF#refs/tags/}"
+            echo "VERSION=${VERSION}" >> $GITHUB_ENV
           fi
       - name: Validate version environment variable
         run: echo "Version being built against is version ${{ env.VERSION }}"!