Merge pull request #1076 from pyiron/secure_dependabot

Use intermediate PR_TITLE variable to secure workflow
pyiron · Jun 7, 2023 · fe4d299 · fe4d299
2 parents bd1022c + 8b6ec10
commit fe4d299
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/.github/workflows/UpdateDependabotPR.yml b/.github/workflows/UpdateDependabotPR.yml
@@ -15,9 +15,11 @@ jobs:
           fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
           token: ${{ secrets.DEPENDABOT_WORKFLOW_TOKEN }}
       - name: UpdateEnvironmentFile
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
         shell: bash -l {0}
         run: |
-          python .ci_support/update_environment.py ${{ github.event.pull_request.title }}
+          python .ci_support/update_environment.py $PR_TITLE
       - name: UpdateDependabotPR commit
         run: |
           git config --local user.email "[email protected]"