From 833304ac15bce17d0f03c4852af5f60c186f6a70 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 5 Mar 2026 12:30:57 -0800
Subject: [PATCH] Fix dump release asset bug (#36799)

---
 services/migrations/dump.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/services/migrations/dump.go b/services/migrations/dump.go
index 04a4569a12..eb0367e9f9 100644
--- a/services/migrations/dump.go
+++ b/services/migrations/dump.go
@@ -288,12 +288,13 @@ func (g *RepositoryDumper) CreateLabels(_ context.Context, labels ...*base.Label
 func (g *RepositoryDumper) CreateReleases(_ context.Context, releases ...*base.Release) error {
 	if g.opts.ReleaseAssets {
 		for _, release := range releases {
-			attachDir := filepath.Join("release_assets", release.TagName)
+			attachDir := filepath.Join("release_assets", uuid.New().String())
 			if err := os.MkdirAll(filepath.Join(g.baseDir, attachDir), os.ModePerm); err != nil {
 				return err
 			}
 			for _, asset := range release.Assets {
-				attachLocalPath := filepath.Join(attachDir, asset.Name)
+				// we cannot use asset.Name because it might contains special characters.
+				attachLocalPath := filepath.Join(attachDir, uuid.New().String())
 
 				// SECURITY: We cannot check the DownloadURL and DownloadFunc are safe here
 				// ... we must assume that they are safe and simply download the attachment