From a453ad5f3b83c30d089db9fb0e7646b38dcbf7e0 Mon Sep 17 00:00:00 2001
From: Diogo Teles Sant'Anna <diogoteles@google.com>
Date: Thu, 8 Aug 2024 18:06:24 +0000
Subject: [PATCH] fix: github workflow vulnerable to script injection

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
---
 .github/workflows/integration_tests.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml
index 181fcbf4e..cf7855849 100644
--- a/.github/workflows/integration_tests.yml
+++ b/.github/workflows/integration_tests.yml
@@ -8,6 +8,9 @@ on:
       TRAVIS_COM_TOKEN:
         required: true
 
+env:
+  HEAD_REF: ${{ github.head_ref }}
+
 jobs:
   integration_tests:
     runs-on: ubuntu-latest
@@ -22,7 +25,7 @@ jobs:
     - name: set SDK Branch if PR
       if: ${{ github.event_name == 'pull_request' }}
       run: |
-        echo "SDK_BRANCH=${{ github.head_ref }}" >> $GITHUB_ENV
+        echo "SDK_BRANCH=$HEAD_REF" >> $GITHUB_ENV
     - name: set SDK Branch if not pull request
       if: ${{ github.event_name != 'pull_request' }}
       run: |