fix: use env vars instead of inline expression interpolation

philipbalinov · claude · philipbalinov · commit 811b17b6b1f7 · 2026-04-23T14:00:33.000+03:00
Avoid script injection by passing workflow_run event fields through
env: rather than interpolating ${{ }} directly in the shell script.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/auto-approve-bot-runs.yml b/.github/workflows/auto-approve-bot-runs.yml
@@ -19,6 +19,9 @@ jobs:
       - name: Approve workflow run
         env:
           GH_TOKEN: ${{ github.token }}
+          RUN_ID: ${{ github.event.workflow_run.id }}
+          ACTOR: ${{ github.event.workflow_run.actor.login }}
+          REPO: ${{ github.repository }}
         run: |
-          echo "Approving run ${{ github.event.workflow_run.id }} triggered by ${{ github.event.workflow_run.actor.login }}"
-          gh run approve ${{ github.event.workflow_run.id }} --repo ${{ github.repository }}
+          echo "Approving run $RUN_ID triggered by $ACTOR"
+          gh run approve "$RUN_ID" --repo "$REPO"
