From 2ed0b4ea13a1f9571eb83be6e02e46aaac13c087 Mon Sep 17 00:00:00 2001
From: Diogo Teles Sant'Anna <diogoteles@google.com>
Date: Thu, 8 Aug 2024 18:06:17 +0000
Subject: [PATCH] fix: github workflow vulnerable to script injection

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
---
 .github/workflows/documentation.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index 9ffb682f9..9c490ac3c 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -4,6 +4,9 @@ on:
   workflow_dispatch:
   workflow_call:
 
+env:
+  HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+
 jobs:
   parse_commit_info:
     runs-on: ubuntu-latest
@@ -30,7 +33,7 @@ jobs:
           # The message string is directly substituted in before the command is run.
           # We use a HereDoc to avoid quotation issues if the message has quotes as well.
           TITLE=$(cat <<EOF | head -n 1
-          ${{ github.event.head_commit.message }}
+          $HEAD_COMMIT_MESSAGE
           EOF
           )