Avoid running untrusted input as shell commands in the GitHub Actions.

woocommerce · May 9, 2024 · 12335a7 · 12335a7
1 parent db0298d
commit 12335a7
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/.github/workflows/php-hook-documentation.yml b/.github/workflows/php-hook-documentation.yml
@@ -31,6 +31,8 @@ jobs:
           source-directories: includes/,woocommerce-google-analytics-integration.php
 
       - name: Commit hook documentation
+        env:
+          HEAD_REF: ${{ github.head_ref }}
         shell: bash
         # Use the github-actions bot account to commit.
         # https://api.github.com/users/github-actions%5Bbot%5D
@@ -43,6 +45,6 @@ jobs:
             echo "*No documentation changes to commit.*" >> $GITHUB_STEP_SUMMARY
           else
             echo "*Committing documentation changes.*" >> $GITHUB_STEP_SUMMARY
-            git commit -q -m "Update hooks documentation from ${{ github.head_ref }} branch."
+            git commit -q -m "Update hooks documentation from ${HEAD_REF} branch."
             git push
           fi