fix: avoid shell injection when issue body contains single quotes in move-to-main-repo workflow

Agent-Logs-Url: https://github.com/community-scripts/ProxmoxVED/sessions/218a4dbe-5133-4ddf-a076-4b2a9db9dd45 Co-authored-by: MickLesk <47820557+MickLesk@users.noreply.github.com>
2026-03-31 06:24:18 -04:00 · 2026-03-28 21:07:50 +00:00
parent 0d29d6911e
commit 6bcbdc8b4c
1 changed files with 2 additions and 1 deletions
--- a/.github/workflows/move-to-main-repo.yaml
+++ b/.github/workflows/move-to-main-repo.yaml
@@ -38,12 +38,13 @@ jobs:
        id: list_issues
        env:
          GH_TOKEN: ${{ github.token }}
+          ISSUE_JSON: ${{ toJson(github.event.issue) }}
        run: |
          echo "Resolving issue with label Migration To ProxmoxVE"

          if [[ "${{ github.event_name }}" == "issues" ]]; then
            # For labeled issue events, use the exact issue from event payload.
-            filtered_issue='${{ toJson(github.event.issue) }}'
+            filtered_issue="$ISSUE_JSON"
          else
            # Fallback for workflow_dispatch: query explicitly by label and raise limit.
            raw_output=$(gh issue list \