From 8c84fa67f665646f847333b2b5d64ae0e1ceadd1 Mon Sep 17 00:00:00 2001
From: FarhanAnjum-opti <farhan.anjum@optimizely.com>
Date: Wed, 25 Sep 2024 19:55:20 +0600
Subject: [PATCH] FSSDK-10665] fix: Github Actions YAML files vulnerable to
 script injections corrected

---
 .github/workflows/integration_tests.yml | 10 +++++++---
 .github/workflows/unit_tests.yml        |  8 ++++++--
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml
index 181fcbf4e..1064e6910 100644
--- a/.github/workflows/integration_tests.yml
+++ b/.github/workflows/integration_tests.yml
@@ -20,14 +20,18 @@ jobs:
         path: 'home/runner/travisci-tools'
         ref: 'master'
     - name: set SDK Branch if PR
+      env: 
+        HEAD_REF: ${{ github.head_ref }}
       if: ${{ github.event_name == 'pull_request' }}
       run: |
-        echo "SDK_BRANCH=${{ github.head_ref }}" >> $GITHUB_ENV
+        echo "SDK_BRANCH=$HEAD_REF" >> $GITHUB_ENV
     - name: set SDK Branch if not pull request
+      env:
+        REF_NAME: ${{ github.ref_name }}
       if: ${{ github.event_name != 'pull_request' }}
       run: |
-        echo "SDK_BRANCH=${{ github.ref_name }}" >> $GITHUB_ENV
-        echo "TRAVIS_BRANCH=${{ github.ref_name }}" >> $GITHUB_ENV
+        echo "SDK_BRANCH=$REF_NAME" >> $GITHUB_ENV
+        echo "TRAVIS_BRANCH=$REF_NAME" >> $GITHUB_ENV
     - name: Trigger build
       env:
         SDK: swift
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
index 3fd6ddfdd..dff3121d3 100644
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@@ -54,13 +54,17 @@ jobs:
           # macos version and supported simulator_xcode_versions are all related to this xcode_version, so be careful when you upgrade this.
           xcode-version: 14.1
       - name: set SDK Branch if PR
+        env:
+          BASE_REF: ${{ github.base_ref }}
         if: ${{ github.event_name == 'pull_request' }}
         run: |
-          echo "BRANCH=${{ github.base_ref }}" >> $GITHUB_ENV
+          echo "BRANCH=$BASE_REF" >> $GITHUB_ENV
       - name: set SDK Branch if not pull request
+        env:
+          REF_NAME: ${{ github.ref_name }}
         if: ${{ github.event_name != 'pull_request' }}
         run: |
-          echo "BRANCH=${{ github.ref_name }}" >> $GITHUB_ENV
+          echo "BRANCH=$REF_NAME" >> $GITHUB_ENV
       - id: unit_tests
         env:
           SCHEME: ${{ matrix.scheme }}