Address potential template injection (#30)

madrob · HT154 · web-flow · commit e22f293934bc · 2026-01-12T13:37:56.000-08:00
Co-authored-by: Jen Basch &lt;jbasch@apple.com&gt;
diff --git a/.github/index.pkl b/.github/index.pkl
@@ -1,5 +1,5 @@
 //===----------------------------------------------------------------------===//
-// Copyright © 2025 Apple Inc. and the Pkl project authors. All rights reserved.
+// Copyright © 2025-2026 Apple Inc. and the Pkl project authors. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -84,8 +84,11 @@ local publishJob: Workflow.Job = new {
       `if` = "inputs.source_run != null"
       run =
         """
-        echo "Triggered by workflow in repo: ${{ inputs.source_run }}" >> $GITHUB_STEP_SUMMARY
+        echo "Triggered by workflow in repo: ${INPUTS_SOURCE_RUN}" >> $GITHUB_STEP_SUMMARY
         """
+      env {
+        ["INPUTS_SOURCE_RUN"] = "${{ inputs.source_run }}"
+      }
     }
     (catalog.`actions/checkout@v6`) {
       with {
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -26,7 +26,9 @@ jobs:
     steps:
     - name: Triggered by
       if: inputs.source_run != null
-      run: 'echo "Triggered by workflow in repo: ${{ inputs.source_run }}" >> $GITHUB_STEP_SUMMARY'
+      env:
+        INPUTS_SOURCE_RUN: ${{ inputs.source_run }}
+      run: 'echo "Triggered by workflow in repo: ${INPUTS_SOURCE_RUN}" >> $GITHUB_STEP_SUMMARY'
     - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
       with:
         persist-credentials: false
