fix: make Github Action safe to RCE via pull request title (#1600)

pypa · Feb 5, 2025 · c6844ba · c6844ba
1 parent 36d632d
commit c6844ba
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -34,12 +34,13 @@ jobs:
       - uses: actions/checkout@v4
       - name: Extract version to be released
         id: get-version
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
         run: |
           if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
             echo "version=${{ github.event.inputs.version }}" >> "$GITHUB_OUTPUT"
           else
-            TITLE="${{ github.event.pull_request.title }}"
-            echo "version=${TITLE/: [[:alnum:]]*}" >> "$GITHUB_OUTPUT"
+            echo "version=${PR_TITLE/: [[:alnum:]]*}" >> "$GITHUB_OUTPUT"
           fi
       - name: Bump version and push tag
         uses: mathieudutour/[email protected]