fix(diff-rendered-charts): using environment variable for head_ref to…

… avoid command injection issues
mozilla-it · May 28, 2024 · 8bdc403 · 8bdc403
1 parent 4fbdc69
commit 8bdc403
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/.github/workflows/diff-rendered-charts.yml b/.github/workflows/diff-rendered-charts.yml
@@ -9,6 +9,9 @@ name: render and diff helm charts
 on:
   workflow_call:
 
+env:
+  HEAD_REF: ${{ github.head_ref }}
+
 jobs:
   get_changed_helm_charts:
     runs-on: ubuntu-latest
@@ -45,8 +48,8 @@ jobs:
         id: render_head
         run: |
           mkdir -p shared/head-charts
-          git fetch origin ${{ github.head_ref }}
-          git checkout  ${{ github.head_ref }} --
+          git fetch origin "$HEAD_REF"
+          git checkout  "$HEAD_REF" --
           if [ -f "${{ matrix.chart }}/Chart.yaml" ]; then
             helm dependency update "${{ matrix.chart }}"
             values_files="${{ matrix.chart }}"/values-*