Merge pull request #418 from woocommerce/dev/fix-gha-untrusted-input

Avoid running untrusted input as shell commands in the GitHub Actions
woocommerce · May 9, 2024 · d755f71 · d755f71
2 parents db0298d + 12335a7
commit d755f71
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/.github/workflows/php-hook-documentation.yml b/.github/workflows/php-hook-documentation.yml
@@ -31,6 +31,8 @@ jobs:
           source-directories: includes/,woocommerce-google-analytics-integration.php
 
       - name: Commit hook documentation
+        env:
+          HEAD_REF: ${{ github.head_ref }}
         shell: bash
         # Use the github-actions bot account to commit.
         # https://api.github.com/users/github-actions%5Bbot%5D
@@ -43,6 +45,6 @@ jobs:
             echo "*No documentation changes to commit.*" >> $GITHUB_STEP_SUMMARY
           else
             echo "*Committing documentation changes.*" >> $GITHUB_STEP_SUMMARY
-            git commit -q -m "Update hooks documentation from ${{ github.head_ref }} branch."
+            git commit -q -m "Update hooks documentation from ${HEAD_REF} branch."
             git push
           fi