[hack] Address PR review feedback on create-release-tag.py

- Validate --commit flag against _HEX_RE at parse time to prevent git
  option injection (e.g. --upload-pack=evil-cmd or HEAD~1 references)
- Extract resolve_commit_sha() and resolve_date() helpers from main()
  to reduce branch count and remove too-many-branches pylint suppress

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: mtnbikenc

hack/create-release-tag.py

@@ -124,7 +124,7 @@
 
 
 # ---------------------------------------------------------------------------
-# Catalog helpers (shared pattern with verify-release.py)
+# Catalog helpers
 # ---------------------------------------------------------------------------
 
 def _fetch_pages(api_url: str) -> list:
@@ -277,7 +277,84 @@ def _find_upstream_remote() -> str:
     return ""
 
 
-# pylint: disable=too-many-locals,too-many-branches,too-many-statements
+def resolve_commit_sha(tag: str, version: str,
+                       override: str) -> tuple[str, str]:
+    """
+    Return (commit_sha, source_description) for the given version.
+
+    Uses the manually provided *override* SHA when supplied; otherwise
+    queries the bundle catalog.  Calls sys.exit(1) on any failure.
+    """
+    if override:
+        return override, "provided manually"
+
+    try:
+        commit_sha, commit_source = fetch_bundle_info(version)
+    except Exception as err:  # pylint: disable=broad-except
+        print(
+            f"\nERROR: fetch_bundle_info failed: {err}",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+    if not commit_sha:
+        print(
+            f"\nERROR: Could not resolve commit SHA for {tag}.",
+            file=sys.stderr,
+        )
+        print(
+            "       The bundle image for this version "
+            "may not be in the catalog.",
+            file=sys.stderr,
+        )
+        print(
+            "       Provide the commit manually: --commit <SHA>",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+    return commit_sha, commit_source
+
+
+def resolve_date(tag: str, version: str, override: str) -> tuple[str, str]:
+    """
+    Return (published_date, source_description) for the given version.
+
+    Uses the manually provided *override* date when supplied; otherwise
+    queries the operator catalog.  Calls sys.exit(1) on any failure.
+    """
+    if override:
+        return override, "provided manually"
+
+    try:
+        published_date = fetch_operator_push_date(version)
+    except Exception as err:  # pylint: disable=broad-except
+        print(
+            f"\nERROR: fetch_operator_push_date failed: {err}",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+    if not published_date:
+        print(
+            f"\nERROR: Could not resolve published date for {tag}.",
+            file=sys.stderr,
+        )
+        print(
+            "       The operator image for this version "
+            "may not be in the catalog.",
+            file=sys.stderr,
+        )
+        print(
+            "       Provide the date manually: --date YYYY-MM-DD",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+    return published_date, "operator image push date"
+
+
+# pylint: disable=too-many-locals,too-many-statements
 def main():
     """Parse args, resolve tag details, confirm with user, create the tag."""
     parser = argparse.ArgumentParser(
@@ -308,6 +385,11 @@ def main():
     if not re.fullmatch(r"\d+\.\d+\.\d+", args.version):
         parser.error(f"version must be X.Y.Z, got: {args.version!r}")
 
+    if args.commit and not _HEX_RE.match(args.commit):
+        parser.error(
+            f"--commit must be a hex SHA (7-40 characters), got: {args.commit!r}"
+        )
+
     if args.date:
         try:
             date.fromisoformat(args.date)
@@ -336,62 +418,8 @@ def main():
             flush=True,
         )
 
-    if args.commit:
-        commit_sha = args.commit
-        commit_source = "provided manually"
-    else:
-        try:
-            commit_sha, commit_source = fetch_bundle_info(version)
-        except Exception as err:  # pylint: disable=broad-except
-            print(
-                f"\nERROR: fetch_bundle_info failed: {err}",
-                file=sys.stderr,
-            )
-            sys.exit(1)
-        if not commit_sha:
-            print(
-                f"\nERROR: Could not resolve commit SHA for {tag}.",
-                file=sys.stderr,
-            )
-            print(
-                "       The bundle image for this version "
-                "may not be in the catalog.",
-                file=sys.stderr,
-            )
-            print(
-                "       Provide the commit manually: --commit <SHA>",
-                file=sys.stderr,
-            )
-            sys.exit(1)
-
-    if args.date:
-        published_date = args.date
-        date_source = "provided manually"
-    else:
-        try:
-            published_date = fetch_operator_push_date(version)
-        except Exception as err:  # pylint: disable=broad-except
-            print(
-                f"\nERROR: fetch_operator_push_date failed: {err}",
-                file=sys.stderr,
-            )
-            sys.exit(1)
-        date_source = "operator image push date"
-        if not published_date:
-            print(
-                f"\nERROR: Could not resolve published date for {tag}.",
-                file=sys.stderr,
-            )
-            print(
-                "       The operator image for this version "
-                "may not be in the catalog.",
-                file=sys.stderr,
-            )
-            print(
-                "       Provide the date manually: --date YYYY-MM-DD",
-                file=sys.stderr,
-            )
-            sys.exit(1)
+    commit_sha, commit_source = resolve_commit_sha(tag, version, args.commit)
+    published_date, date_source = resolve_date(tag, version, args.date)
 
     # Expand to full commit SHA and verify it exists locally
     try: