From 78015f9c316ea99ff0adfcea09ece5dd8ffe7143 Mon Sep 17 00:00:00 2001
From: "fix-it-felix-sentry[bot]"
 <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com>
Date: Sat, 2 May 2026 04:07:39 +0000
Subject: [PATCH] Fix shell injection vulnerability in lint-external-links
 workflow

Move github.base_ref from inline shell interpolation to environment
variable to prevent potential code injection attacks. This follows
GitHub Actions security best practices for handling untrusted input.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .github/workflows/lint-external-links.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/lint-external-links.yml b/.github/workflows/lint-external-links.yml
index aa04a44f0e5911..f5417bf9f876a0 100644
--- a/.github/workflows/lint-external-links.yml
+++ b/.github/workflows/lint-external-links.yml
@@ -29,8 +29,10 @@ jobs:
 
       - name: Get changed files
         id: changed
+        env:
+          BASE_REF: ${{ github.base_ref }}
         run: |
-          FILES=$(git diff --name-only --diff-filter=AMR origin/${{ github.base_ref }}...HEAD -- '*.md' '*.mdx' || true)
+          FILES=$(git diff --name-only --diff-filter=AMR origin/"${BASE_REF}"...HEAD -- '*.md' '*.mdx' || true)
           if [ -z "$FILES" ]; then
             echo "files=" >> $GITHUB_OUTPUT
             echo "No markdown files changed"