chore: secure hermetic_library_generation workflow

Thanks to @diogoteles08 for the inspection on our repos. This PR inlines environment variables to avoid overriding script injections.
googleapis · Aug 19, 2024 · 9fabd65 · 9fabd65
1 parent 169aea5
commit 9fabd65
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml
@@ -19,11 +19,12 @@ on:
 
 env:
   HEAD_REF: ${{ github.head_ref }}
+  REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }}
 
 jobs:
   library_generation:
     # skip pull requests come from a forked repository
-    if: github.event.pull_request.head.repo.full_name == github.repository
+    if: ${{ env.REPO_FULL_NAME }} == github.repository
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4