From d0c3ec33bf79018fe6be4244a29ba5769a646e54 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Fri, 6 Dec 2024 10:48:07 -0500
Subject: [PATCH] Avoid interpolating values into bash

This can lead to code execution. See https://woodruffw.github.io/zizmor/audits/#template-injection for details
---
 .github/workflows/coverage-pr-base.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/coverage-pr-base.yml b/.github/workflows/coverage-pr-base.yml
index acc645ea876..034d3bb1c6a 100644
--- a/.github/workflows/coverage-pr-base.yml
+++ b/.github/workflows/coverage-pr-base.yml
@@ -19,9 +19,6 @@ jobs:
       - name: Set PR base on codecov
         run: |
           # fetch the merge commit between the PR base and head
-          BASE_REF=refs/heads/${{ github.event.pull_request.base.ref }}
-          MERGE_REF=refs/pull/${{ github.event.pull_request.number }}/merge
-
           git fetch -u --progress --depth=1 origin "+$BASE_REF:$BASE_REF" "+$MERGE_REF:$MERGE_REF"
           while [ -z "$(git merge-base "$BASE_REF" "$MERGE_REF")" ]; do
             git fetch -u -q --deepen="10" origin "$BASE_REF" "$MERGE_REF";
@@ -38,3 +35,8 @@ jobs:
             --slug PyO3/pyo3 \
             --token ${{ secrets.CODECOV_TOKEN }} \
             --service github
+        env:
+          # Don't put these in bash, because we don't want the expansion to
+          # risk code execution
+          BASE_REF: "refs/heads/{{ github.event.pull_request.base.ref }}"
+          MERGE_REF: "refs/pull/${{ github.event.pull_request.number }}/merge"