From 907c1ba9163d5b9d7a4f6c49b9600aae443d713a Mon Sep 17 00:00:00 2001
From: xiaosansiji <xiaosansiji@gmail.com>
Date: Mon, 17 Jul 2023 16:16:22 +0800
Subject: [PATCH] fix: action ci script security

---
 .github/workflows/auto-release.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index fcc4d3f2b..37bcea997 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -54,10 +54,11 @@ jobs:
         with:
           ref: ${{ steps.comment.outputs.branch }}
       - name: Commit and push if needed
+        env:
+          BODY: ${{ github.event.comment.body }}
         run: |
           txt=$(cat CHANGELOG.md)
-          body='${{ github.event.comment.body }}'
-          echo "${txt%%##*}${body}${txt##*---}" > CHANGELOG.md
+          echo "${txt%%##*} $BODY ${txt##*---}" > CHANGELOG.md
           git add .
           git config --local user.email "github-actions[bot]@users.noreply.github.com"
           git config --local user.name "github-actions[bot]"