From 8bdc4031e185e06be8a4327b97c22c566a2fbb72 Mon Sep 17 00:00:00 2001
From: Dustin Lactin <dlactin@mozilla.com>
Date: Tue, 28 May 2024 09:01:29 -0600
Subject: [PATCH] fix(diff-rendered-charts): using environment variable for
 head_ref to avoid command injection issues

---
 .github/workflows/diff-rendered-charts.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/diff-rendered-charts.yml b/.github/workflows/diff-rendered-charts.yml
index 0646b28..aa40c31 100644
--- a/.github/workflows/diff-rendered-charts.yml
+++ b/.github/workflows/diff-rendered-charts.yml
@@ -9,6 +9,9 @@ name: render and diff helm charts
 on:
   workflow_call:
 
+env:
+  HEAD_REF: ${{ github.head_ref }}
+
 jobs:
   get_changed_helm_charts:
     runs-on: ubuntu-latest
@@ -45,8 +48,8 @@ jobs:
         id: render_head
         run: |
           mkdir -p shared/head-charts
-          git fetch origin ${{ github.head_ref }}
-          git checkout  ${{ github.head_ref }} --
+          git fetch origin "$HEAD_REF"
+          git checkout  "$HEAD_REF" --
           if [ -f "${{ matrix.chart }}/Chart.yaml" ]; then
             helm dependency update "${{ matrix.chart }}"
             values_files="${{ matrix.chart }}"/values-*