Potential fix for code injection in github action (#2768)

Potential fix for code scanning in github action

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

diff --git a/.github/workflows/auto-merge-dependency-updates.yml b/.github/workflows/auto-merge-dependency-updates.yml
index 1b0805b70b62a26a9d4e2a5d651db9bf3bf20d12..b602d0e9ba8f0bf9a1441262f43a61f813bc2373 100644 (file)
--- a/.github/workflows/auto-merge-dependency-updates.yml
+++ b/.github/workflows/auto-merge-dependency-updates.yml
@@ -47,7 +47,7 @@ jobs:
       - name: Verify PR labels and source
         run: |
           LABELS="${{ join(github.event.pull_request.labels.*.name, ',') }}"
-          BRANCH="${{ github.event.pull_request.head.ref }}"
+          BRANCH="$BRANCH"
 
           if [[ "$LABELS" != *"dependencies"* ]]; then
             echo "❌ PR does not have 'dependencies' label"
@@ -61,6 +61,8 @@ jobs:
 
           echo "✅ PR has 'dependencies' label and valid branch name"
 
+        env:
+          BRANCH: ${{ github.event.pull_request.head.ref }}
       # IMPORTANT: Checkout the PR's head to validate file changes
       # This is required for the git commands in security check 5
       - name: Checkout PR branch