Pass untrusted input via intermediate ENV vars in CI jobs

kiwitcms · Apr 24, 2023 · e39f7e1 · e39f7e1
1 parent 7e9f6df
commit e39f7e1
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
@@ -16,12 +16,14 @@ jobs:
     - uses: actions/checkout@v3
 
     - name: check-source-branch-and-modified-files
+      env:
+        HEAD_REF: ${{ github.head_ref }}
       run: |
-        echo "INFO: source branch is: ${{ github.head_ref }}"
+        echo "INFO: source branch is: $HEAD_REF"
 
         # if this PR modifies README.md or setup.py file it needs to come from a branch
         # that follows the pattern 'prepare/vX.Y' b/c we want to run some extra jobs for such branches!
-        if [[ ! "${{ github.head_ref }}" =~ ^prepare/v.+$ ]]; then
+        if [[ ! "$HEAD_REF" =~ ^prepare/v.+$ ]]; then
             echo "FAIL: Modifications to README.md or setup.py are only accepted from 'prepare/vX.Y' branches!"
             echo "INFO: Otherwise aarch64 jobs in Circle CI will not be executed."
             exit 1