Protect against malicious branch names

2024-12-07 17:04:03 +00:00 · 2024-12-07 17:04:03 +00:00 · d598623305
commit d598623305
parent fe81ac334c
1 changed files with 2 additions and 2 deletions
--- a/.github/workflows/danger.yml
+++ b/.github/workflows/danger.yml
@ -24,10 +24,10 @@ jobs:
          bundler-cache: true
      - name: Create base branch
        run: |
-          git fetch ${{ github.event.pull_request.base.repo.clone_url }} ${{ github.event.pull_request.base.ref }}:danger_base
+          git fetch ${{ github.event.pull_request.base.repo.clone_url }} ${{ github.event.pull_request.base.sha }}:danger_base
      - name: Create head branch
        run: |
-          git fetch ${{ github.event.pull_request.head.repo.clone_url }} ${{ github.event.pull_request.head.ref }}:danger_head
+          git fetch ${{ github.event.pull_request.head.repo.clone_url }} ${{ github.event.pull_request.head.sha }}:danger_head
      - name: Danger
        env:
          DANGER_GITHUB_BEARER_TOKEN: ${{ secrets.GITHUB_TOKEN }}