diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml
index 939df2d5b0..c57df7152b 100644
--- a/.github/workflows/sonar.yaml
+++ b/.github/workflows/sonar.yaml
@@ -37,36 +37,37 @@ jobs:
         if: env.SONAR_TOKEN_SET == 'true'
         id: get_pr_data
         with:
-          route: GET /repos/{full_name}/pulls/{number}
-          number: ${{ steps.pr_number.outputs.content }}
-          full_name: ${{ github.event.repository.full_name }}
+          route: GET /repos/${{env.full_name}}/pulls/${{env.pr_number}}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: "sanitize head ref"
+          pr_number: ${{ steps.pr_number.outputs.content }}
+          full_name: ${{ github.event.repository.full_name }}
+      - name: "Check for legal branch names"
         id: set_branch_name
+        env:
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
         run: |
-          head_ref="${{ github.event.workflow_run.head_repository.head_branch }}"
-          
-          # Sanitize by replacing shell characters with -
-          sanitized_head=$(echo ${head_ref} | sed 's/[\(\$\)]/-/g')
-          
-          echo "sanitized_head_ref=${sanitized_head}" >> $GITHUB_ENV
+          if [[ ${HEAD_BRANCH} =~ [\(\$\)\;]+ ]];
+          then
+            echo "BRANCH '${HEAD_BRANCH}' contains potentially malicious characters as it matches BRANCH_REGEX '${BRANCH_REGEX}'"
+            exit 1
+          else
+            echo "SANITIZED_HEAD_REF=${HEAD_BRANCH}" >> $GITHUB_ENV
+          fi
         shell: bash
       - uses: actions/checkout@v6
         if: env.SONAR_TOKEN_SET == 'true'
         with:
           repository: ${{ github.event.workflow_run.head_repository.full_name }}
-          ref: ${{env.sanitized_head_ref}}
+          ref: ${{env.SANITIZED_HEAD_REF}}
           fetch-depth: 0
       - name: Checkout base branch
         if: env.SONAR_TOKEN_SET == 'true'
-        env:
-          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
         run: |
           git remote add upstream ${{ github.event.repository.clone_url }}
           git fetch upstream
           git checkout -B ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} upstream/${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
-          git checkout "${HEAD_BRANCH}"
+          git checkout "origin/${{env.SANITIZED_HEAD_REF}}"
           git clean -ffdx && git reset --hard HEAD
       - name: Set up QEMU
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130
diff --git a/kroxylicious-docs/docs/record-encryption-quickstart/index.adoc b/kroxylicious-docs/docs/record-encryption-quickstart/index.adoc
index 1363e9ce6f..a04a1938b7 100644
--- a/kroxylicious-docs/docs/record-encryption-quickstart/index.adoc
+++ b/kroxylicious-docs/docs/record-encryption-quickstart/index.adoc
@@ -3,7 +3,7 @@
 :localstack-chart-version: 0.6.27
 // A Renovate rule will update the strimzi-version but not kafka-version. Update the kafka-version to the point
 // at the latest kafka version supported by that strimzi.
-:strimzi-version: 0.49.1
+:strimzi-version: 0.50.0
 :kafka-version: 4.1.1
 :kafka-image: quay.io/strimzi/kafka:{strimzi-version}-kafka-{kafka-version}