From fe77b196f4824137f0a7d8c1e6a2f443dbd4f7b3 Mon Sep 17 00:00:00 2001
From: "Y. Meyer-Norwood" <106889957+norwd@users.noreply.github.com>
Date: Tue, 13 Dec 2022 11:16:31 +1300
Subject: [PATCH] Prevent Script Injection Attack

The user provided inputs here are vulnerable to script injection. This PR uses an intermediary environment variable to treat the input as a string, rather than as part of the command.

See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
---
 .github/workflows/update-main-version.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/update-main-version.yml b/.github/workflows/update-main-version.yml
index c1e046a..c4379e0 100644
--- a/.github/workflows/update-main-version.yml
+++ b/.github/workflows/update-main-version.yml
@@ -16,6 +16,9 @@ on:
 jobs:
   tag:
     runs-on: ubuntu-latest
+    env:
+      TARGET: ${{ github.event.inputs.target }}
+      MAIN_VERSION: ${{ github.event.inputs.main_version }}
     steps:
     - uses: actions/checkout@v3
       with:
@@ -25,6 +28,6 @@ jobs:
         git config user.name github-actions
         git config user.email github-actions@github.com
     - name: Tag new target
-      run: git tag -f ${{ github.event.inputs.main_version }} ${{ github.event.inputs.target }}
+      run: git tag -f "$MAIN_VERSION" "$TARGET"
     - name: Push new tag
-      run: git push origin ${{ github.event.inputs.main_version }} --force
+      run: git push origin "$MAIN_VERSION" --force