From d02ee5424940dc87c31d68974e0dbc965d6d9afb Mon Sep 17 00:00:00 2001
From: "Marcus R. Brown" <git@mrbro.dev>
Date: Thu, 23 Jan 2025 08:13:06 -0700
Subject: [PATCH] ci(main): fix potential script injection

---
 .github/workflows/main.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 62c80d49..76bf15b7 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -40,6 +40,8 @@ jobs:
   release:
     name: Release
     if: github.repository == 'bfra-me/works'
+    env:
+      PUBLISH_REF: ${{ github.head_ref }}
     needs:
       - ci
     permissions:
@@ -64,14 +66,14 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-          ref: ${{ github.head_ref }}
+          ref: ${{ env.PUBLISH_REF }}
           token: ${{ steps.get-workflow-access-token.outputs.token }}
 
       - name: Prepare job
         uses: ./.github/actions/pnpm-install
 
       - name: Perform a dry run of `pnpm publish`
-        run: pnpm -r publish --dry-run --publish-branch ${{ github.head_ref}}
+        run: pnpm -r publish --dry-run --publish-branch ${{ env.PUBLISH_REF }}
 
       - name: Create Release Pull Request or Publish to npm
         if: github.ref == 'refs/heads/main'