From 5c0eb9cf1816c64b67052f5ed5cabd5ae362d0bd Mon Sep 17 00:00:00 2001
From: acarriedev <acarrie.dev@gmail.com>
Date: Tue, 26 Aug 2025 13:40:19 +0100
Subject: [PATCH] MESH-2530 Fix action vulnerable to script injection

---
 .github/workflows/pull-request.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index ff5823b..c85003e 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -297,11 +297,14 @@ jobs:
       - name: merge into base_branch
         if: ${{ github.event_name == 'pull_request' }}
         run: |
-          echo base branch "${{ github.base_ref }}"
-          echo pr branch "${{ github.head_ref }}"
-          git checkout "${{ github.base_ref }}"
+          echo base branch "$BASE_BRANCH"
+          echo pr branch "$PR_BRANCH"
+          git checkout "$BASE_BRANCH"
           git checkout -b "merging-${{ github.event.number }}"
           git merge --ff-only "${{ github.event.pull_request.head.sha }}"
+        env:
+          BASE_BRANCH: ${{ github.base_ref }}
+          PR_BRANCH: ${{ github.head_ref }}
 
       - name: setup python
         uses: actions/setup-python@v5