From 43b0167a3a7d97f0a002db2634337faaac95a59d Mon Sep 17 00:00:00 2001
From: Stypox <stypox@pm.me>
Date: Wed, 26 Apr 2023 16:01:20 +0200
Subject: [PATCH] Fix CI command injection vulnerability

See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
---
 .github/workflows/ci.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 67bd46992..03b04b7c4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -42,7 +42,9 @@ jobs:
       - name: create and checkout branch
         # push events already checked out the branch
         if: github.event_name == 'pull_request'
-        run: git checkout -B ${{ github.head_ref }}
+        env:
+          BRANCH: ${{ github.head_ref }}
+        run: git checkout -B "$BRANCH"
 
       - name: set up JDK 17
         uses: actions/setup-java@v3