From 3e1d053c19357304e067b51ebc7d9d949dbb9a37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Florian=20K=C3=BCbler?= <kuebler@google.com>
Date: Thu, 3 Aug 2023 11:02:31 +0200
Subject: [PATCH] Avoid script injection (#4839)

Following:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable

Bug: http://b/294105824
---
 .github/workflows/build-and-test.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
index 3988260b48c..057a803e083 100644
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -74,12 +74,15 @@ jobs:
       CCACHE_COMPRESS: "true"
       CCACHE_COMPRESSLEVEL: "6"
       CCACHE_MAXSIZE: "600M"
+      PR_NUMBER: ${{ github.event.number }}
+      PR_HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+      PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
     steps:
       - run: |
            mkdir pr_metadata
-           echo "${{ github.event.number }}" > pr_metadata/pr_number.txt
-           echo "${{ github.event.pull_request.head.repo.full_name }}" > pr_metadata/pr_head_repo.txt
-           echo "${{ github.event.pull_request.head.ref }}" > pr_metadata/pr_head_ref.txt
+           echo "$PR_NUMBER" > pr_metadata/pr_number.txt
+           echo "$PR_HEAD_REPO" > pr_metadata/pr_head_repo.txt
+           echo "$PR_HEAD_REF" > pr_metadata/pr_head_ref.txt
         if: github.event_name == 'pull_request' && matrix.config.name == 'Clang Debug'
       - name: 'Upload PR metadata'
         if: github.event_name == 'pull_request' && matrix.config.name == 'Clang Debug'