fix(ci): move untrusted gh context to envvar (#9366)

Mergify workflow directly interpolates elements from GitHub context. While currently there's no significant security implication, we do the [recommended](https://securitylab.github.com/research/github-actions-untrusted-input/) practice of storing them in intermediate environment variables.
Agoric · May 15, 2024 · c56324b · c56324b
2 parents 2dc53d7 + 58fc32e
commit c56324b
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/.github/workflows/mergify-ready.yml b/.github/workflows/mergify-ready.yml
@@ -57,11 +57,12 @@ jobs:
         with:
           fetch-depth: 0
       - shell: bash
+        env:
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          HEAD_LABEL: ${{ github.event.pull_request.head.label }}
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          BASE_LABEL: ${{ github.event.pull_request.base.label }}
         run: |
-          HEAD_SHA=${{ github.event.pull_request.head.sha }}
-          HEAD_LABEL="${{ github.event.pull_request.head.label }}"
-          BASE_SHA=${{ github.event.pull_request.base.sha }}
-          BASE_LABEL="${{ github.event.pull_request.base.label }}"
           merge_commits=$(git rev-list --merges "$BASE_SHA".."$HEAD_SHA")
 
           if [ -n "$merge_commits" ]; then