fix: github workflow vulnerable to script injection

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
has2k1 · Aug 8, 2024 · 2ed0b4e · 2ed0b4e
1 parent 4159f95
commit 2ed0b4e
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
@@ -4,6 +4,9 @@ on:
   workflow_dispatch:
   workflow_call:
 
+env:
+  HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+
 jobs:
   parse_commit_info:
     runs-on: ubuntu-latest
@@ -30,7 +33,7 @@ jobs:
           # The message string is directly substituted in before the command is run.
           # We use a HereDoc to avoid quotation issues if the message has quotes as well.
           TITLE=$(cat <<EOF | head -n 1
-          ${{ github.event.head_commit.message }}
+          $HEAD_COMMIT_MESSAGE
           EOF
           )