From de6be7380f787b894b5e7e44218b66c3551df72f Mon Sep 17 00:00:00 2001
From: Diogo Teles Sant'Anna <diogoteles@google.com>
Date: Wed, 7 Aug 2024 20:24:57 +0000
Subject: [PATCH] fix: github workflow vulnerable to script injection

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
---
 .github/workflows/irc.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/irc.yml b/.github/workflows/irc.yml
index d248c616..8b7b5246 100644
--- a/.github/workflows/irc.yml
+++ b/.github/workflows/irc.yml
@@ -2,6 +2,9 @@ name: irc
 
 on: [push]
 
+env:
+  COMMIT_MESSAGE: ${{ github.event.commits[0].message }}
+
 jobs:
   notification:
     runs-on: ubuntu-latest
@@ -10,7 +13,7 @@ jobs:
       - name: Format message
         id: message
         run: |
-          message="${{ github.actor }} pushed $(echo '${{ github.event.commits[0].message }}' | head -n 1) ${{ github.event.commits[0].url }}"
+          message="${{ github.actor }} pushed $(echo '$COMMIT_MESSAGE' | head -n 1) ${{ github.event.commits[0].url }}"
           echo ::set-output name=message::"${message}"
       - name: IRC notification
         uses: Gottox/irc-message-action@v2