ci: fix critical security vulnerability by prevent script injection (#323)

Djaytan · web-flow · commit cbc2738b8989 · 2025-08-10T14:36:18.000+02:00
diff --git a/.github/workflows/release-dry-run.yml b/.github/workflows/release-dry-run.yml
@@ -62,7 +62,7 @@ jobs:
         # Unset the `GITHUB_ACTIONS` environment variable to trick semantic-release into thinking it's not running in a CI environment,
         # as `--no-ci` alone is insufficient.
         #
-        # Use `--branches '${{ github.head_ref }}'` to consider the PR head ref (source branch) as a release one for the dry run.
+        # Use `--branches "${GITHUB_HEAD_REF}"` to consider the PR head ref (source branch) as a release one for the dry run.
         run: |
           unset GITHUB_ACTIONS
-          npx --no-install semantic-release --dry-run --no-ci --branches '${{ github.head_ref }}'
+          npx --no-install semantic-release --dry-run --no-ci --branches "${GITHUB_HEAD_REF}"
