Avoid script injection (#4839)

Following: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable Bug: http://b/294105824
google · Aug 3, 2023 · 3e1d053 · 3e1d053
1 parent 04a9a1f
commit 3e1d053
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -74,12 +74,15 @@ jobs:
       CCACHE_COMPRESS: "true"
       CCACHE_COMPRESSLEVEL: "6"
       CCACHE_MAXSIZE: "600M"
+      PR_NUMBER: ${{ github.event.number }}
+      PR_HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+      PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
     steps:
       - run: |
            mkdir pr_metadata
-           echo "${{ github.event.number }}" > pr_metadata/pr_number.txt
-           echo "${{ github.event.pull_request.head.repo.full_name }}" > pr_metadata/pr_head_repo.txt
-           echo "${{ github.event.pull_request.head.ref }}" > pr_metadata/pr_head_ref.txt
+           echo "$PR_NUMBER" > pr_metadata/pr_number.txt
+           echo "$PR_HEAD_REPO" > pr_metadata/pr_head_repo.txt
+           echo "$PR_HEAD_REF" > pr_metadata/pr_head_ref.txt
         if: github.event_name == 'pull_request' && matrix.config.name == 'Clang Debug'
       - name: 'Upload PR metadata'
         if: github.event_name == 'pull_request' && matrix.config.name == 'Clang Debug'