From 6bf2d2794f4371992ff6bfe8cd78bb47a1f797ac Mon Sep 17 00:00:00 2001
From: Lucas Rodriguez <lucas.rodriguez@defenseunicorns.com>
Date: Thu, 4 Apr 2024 16:26:02 -0500
Subject: [PATCH] Use env var for PR title to prevent untrusted script
 injection

---
 .github/workflows/commitlint.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
index b25a1b28db..39838c5298 100644
--- a/.github/workflows/commitlint.yml
+++ b/.github/workflows/commitlint.yml
@@ -24,4 +24,6 @@ jobs:
         run: npm install --save-dev @commitlint/{config-conventional,cli}
 
       - name: Lint PR title
-        run: echo "${{ github.event.pull_request.title }}" | npx commitlint
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+        run: echo "$PR_TITLE" | npx commitlint