From 56d51b051a9995b36c86a218d6981ab84f509739 Mon Sep 17 00:00:00 2001
From: Felicity <akanez@amazon.com>
Date: Mon, 22 Sep 2025 10:12:16 -0700
Subject: [PATCH] ci: sanitize environment variables for PR SHA and number

---
 .github/workflows/maven.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index 4126442..facb165 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -31,10 +31,15 @@ jobs:
       - name: Convert Jacoco to Cobertura
         run: python3 .github/scripts/cover2cover.py target/jacoco-report/jacoco.xml src/main/java > target/jacoco-report/cobertura.xml
       - name: Save PR number
+        env:
+          PR_NR: ${{ github.event.number }}
+          PR_SHA: ${{ github.event.pull_request.head.sha }}
         run: |
           mkdir -p ./pr/jacoco-report
-          echo ${{ github.event.number }} > ./pr/NR
-          echo ${{ github.event.pull_request.head.sha }} > ./pr/SHA
+          SANITIZED_NR=$(echo "$PR_NR" | tr -cd '0-9')
+          SANITIZED_SHA=$(echo "$PR_SHA" | tr -cd 'a-fA-F0-9')
+          echo "$SANITIZED_NR" > ./pr/NR
+          echo "$SANITIZED_SHA" > ./pr/SHA
 
           cp target/jacoco-report/cobertura.xml ./pr/jacoco-report/cobertura.xml
         if: github.event_name == 'pull_request'