From: Marcel van der Veldt Date: Mon, 8 Dec 2025 12:42:08 +0000 (+0100) Subject: Potential fix for code injection in github action (#2768) X-Git-Url: https://git.kitaultman.com/?a=commitdiff_plain;h=1f9af5bc50c4230b52134947be93d2026c79dad8;p=music-assistant-server.git Potential fix for code injection in github action (#2768) Potential fix for code scanning in github action Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- diff --git a/.github/workflows/auto-merge-dependency-updates.yml b/.github/workflows/auto-merge-dependency-updates.yml index 1b0805b7..b602d0e9 100644 --- a/.github/workflows/auto-merge-dependency-updates.yml +++ b/.github/workflows/auto-merge-dependency-updates.yml @@ -47,7 +47,7 @@ jobs: - name: Verify PR labels and source run: | LABELS="${{ join(github.event.pull_request.labels.*.name, ',') }}" - BRANCH="${{ github.event.pull_request.head.ref }}" + BRANCH="$BRANCH" if [[ "$LABELS" != *"dependencies"* ]]; then echo "❌ PR does not have 'dependencies' label" @@ -61,6 +61,8 @@ jobs: echo "✅ PR has 'dependencies' label and valid branch name" + env: + BRANCH: ${{ github.event.pull_request.head.ref }} # IMPORTANT: Checkout the PR's head to validate file changes # This is required for the git commands in security check 5 - name: Checkout PR branch