From e39f7e156fdaf6fec09a15ea6f4e8fec8cdbf751 Mon Sep 17 00:00:00 2001
From: Alexander Todorov <atodorov@otb.bg>
Date: Mon, 24 Apr 2023 17:57:41 +0300
Subject: [PATCH] Pass untrusted input via intermediate ENV vars in CI jobs

---
 .github/workflows/changelog.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index e2947a9..6bc5c47 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -16,12 +16,14 @@ jobs:
     - uses: actions/checkout@v3
 
     - name: check-source-branch-and-modified-files
+      env:
+        HEAD_REF: ${{ github.head_ref }}
       run: |
-        echo "INFO: source branch is: ${{ github.head_ref }}"
+        echo "INFO: source branch is: $HEAD_REF"
 
         # if this PR modifies README.md or setup.py file it needs to come from a branch
         # that follows the pattern 'prepare/vX.Y' b/c we want to run some extra jobs for such branches!
-        if [[ ! "${{ github.head_ref }}" =~ ^prepare/v.+$ ]]; then
+        if [[ ! "$HEAD_REF" =~ ^prepare/v.+$ ]]; then
             echo "FAIL: Modifications to README.md or setup.py are only accepted from 'prepare/vX.Y' branches!"
             echo "INFO: Otherwise aarch64 jobs in Circle CI will not be executed."
             exit 1