fix: posible code injection on test fork workflow

absis · web-flow · commit e9b6f47d0f4b · 2025-09-23T11:15:18.000+02:00
diff --git a/.github/workflows/test-deploy-fork.yml b/.github/workflows/test-deploy-fork.yml
@@ -35,12 +35,14 @@ jobs:
 
       - name: Link this CI run to PR
         uses: actions/github-script@100527700e8b29ca817ac0e0dfbfc5e8ff38edda # v6.1.1
+        env:
+          PR_NUMBER: ${{ steps.get_pr_number.outputs.pr_number }}
         with:
           script: |
             await github.rest.issues.createComment({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              issue_number: Number('${{ steps.get_pr_number.outputs.pr_number }}'),
+              issue_number: Number(process.env.PR_NUMBER),
               body: '🔎 Tests and deployment are running now!\nSee progress at ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}'
             });
 
@@ -130,7 +132,7 @@ jobs:
             await github.rest.issues.createComment({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              issue_number: ${{ env.PR_NUMBER }},
+              issue_number: Number(process.env.PR_NUMBER),
               body: `- Ipfs hash: ${{ steps.pinata.outputs.hash }}\n- Ipfs preview link: ${{ steps.pinata.outputs.uri }}`
             });
 
@@ -203,7 +205,7 @@ jobs:
         continue-on-error: true
         with:
           SUCCESS: 'false'
-          PULL_REQUEST_NUMBER: ${{ env.PR_NUMBER }}
+          PULL_REQUEST_NUMBER: '${{ env.PR_NUMBER }}'
           TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   notify_success:
@@ -232,5 +234,5 @@ jobs:
         continue-on-error: true
         with:
           SUCCESS: 'true'
-          PULL_REQUEST_NUMBER: ${{ env.PR_NUMBER }}
+          PULL_REQUEST_NUMBER: '${{ env.PR_NUMBER }}'
           TOKEN: ${{ secrets.GITHUB_TOKEN }}
