From 70bea1b935820d5834d5b802131009dcfbbda567 Mon Sep 17 00:00:00 2001
From: Nicola Soranzo <nicola.soranzo@earlham.ac.uk>
Date: Mon, 14 Oct 2024 11:56:47 +0100
Subject: [PATCH] Define environment variables in ``env:`` section

Fix potential command injection via PR title, see

https://securitylab.github.com/resources/github-actions-untrusted-input/
---
 .github/workflows/pr-title-update.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pr-title-update.yml b/.github/workflows/pr-title-update.yml
index 482794257069..6a4c5021f63d 100644
--- a/.github/workflows/pr-title-update.yml
+++ b/.github/workflows/pr-title-update.yml
@@ -16,10 +16,10 @@ jobs:
       - name: Update PR title
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          TARGET_BRANCH: "${{ github.base_ref }}"
+          PR_TITLE: "${{ github.event.pull_request.title }}"
         run: |
-          PR_NUMBER=${{ github.event.pull_request.number }}
-          TARGET_BRANCH="${{ github.base_ref }}"
-          PR_TITLE="${{ github.event.pull_request.title }}"
           VERSION=$(echo $TARGET_BRANCH | grep -oP '\d+\.\d+')
           if [[ -n "$VERSION" && ! "$PR_TITLE" =~ ^\[$VERSION\] ]]; then
             NEW_TITLE="[$VERSION] $PR_TITLE"