Fix CI command injection vulnerability

See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
2025-10-30 06:43:00 +00:00 · 2023-04-26 16:01:20 +02:00
parent da30e539df
commit 43b0167a3a
1 changed files with 3 additions and 1 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -42,7 +42,9 @@ jobs:
      - name: create and checkout branch
        # push events already checked out the branch
        if: github.event_name == 'pull_request'
-        run: git checkout -B ${{ github.head_ref }}
+        env:
+          BRANCH: ${{ github.head_ref }}
+        run: git checkout -B "$BRANCH"

      - name: set up JDK 17
        uses: actions/setup-java@v3