From c6844ba80bc0b41f844c371c44749a8d82e71fd6 Mon Sep 17 00:00:00 2001
From: VS <vspachyn@gmail.com>
Date: Wed, 5 Feb 2025 10:20:44 +0200
Subject: [PATCH] fix: make Github Action safe to RCE via pull request title
 (#1600)

---
 .github/workflows/release.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8f136550f..21480ca9f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -34,12 +34,13 @@ jobs:
       - uses: actions/checkout@v4
       - name: Extract version to be released
         id: get-version
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
         run: |
           if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
             echo "version=${{ github.event.inputs.version }}" >> "$GITHUB_OUTPUT"
           else
-            TITLE="${{ github.event.pull_request.title }}"
-            echo "version=${TITLE/: [[:alnum:]]*}" >> "$GITHUB_OUTPUT"
+            echo "version=${PR_TITLE/: [[:alnum:]]*}" >> "$GITHUB_OUTPUT"
           fi
       - name: Bump version and push tag
         uses: mathieudutour/github-tag-action@v6.2