From 15806f7507287b1e84a48d2433555bb7d28c0f5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A9di-R=C3=A9mi=20Hashim?= <mediremi@gmail.com>
Date: Wed, 22 Oct 2025 17:24:48 +0100
Subject: [PATCH] Mitigate potential template injection in CI workflow

---
 .github/workflows/ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e6b2fdb9e8..9c1393e5c6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -272,7 +272,7 @@ jobs:
           gh extension install actions/gh-actions-cache
           gh actions-cache delete ${{ steps.compiler-build-state-key.outputs.value }} \
             -R ${{ github.repository }} \
-            -B ${{ github.ref }} \
+            -B "$GITHUB_REF" \
             --confirm || echo "not exist"
         env:
           GH_TOKEN: ${{ github.token }}
@@ -529,7 +529,7 @@ jobs:
           git config --global user.name "github-actions[bot]"
           git config --global user.email "github-actions@rescript-lang.org"
           git add data/api
-          git commit -m "Update API docs for ${{ github.ref_name }}"
+          git commit -m "Update API docs for $GITHUB_REF_NAME"
           git push
 
   test-installation-npm: