From 477661f14964756635c8c9aee236247a642b3ebb Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Thu, 8 Aug 2024 18:06:17 +0000 Subject: [PATCH] fix: github workflow vulnerable to script injection Signed-off-by: Diogo Teles Sant'Anna --- .github/workflows/documentation.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 58c217e06..5dd5b115a 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -4,6 +4,9 @@ on: workflow_dispatch: workflow_call: +env: + HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }} + jobs: parse_commit_info: runs-on: ubuntu-latest @@ -30,7 +33,7 @@ jobs: # The message string is directly substituted in before the command is run. # We use a HereDoc to avoid quotation issues if the message has quotes as well. TITLE=$(cat <