From de5287c49d45e9ee763426ab12aa50659573b3be Mon Sep 17 00:00:00 2001
From: Korbinian Stoemmer <korbinian.stoemmer@sap.com>
Date: Mon, 16 Dec 2024 14:55:40 +0100
Subject: [PATCH] chore: Apply security suggestions for gha (#1681)

---
 .github/workflows/pr-github-checks.yml | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/pr-github-checks.yml b/.github/workflows/pr-github-checks.yml
index d977cdc37..cc52d6bb0 100644
--- a/.github/workflows/pr-github-checks.yml
+++ b/.github/workflows/pr-github-checks.yml
@@ -31,38 +31,47 @@ jobs:
       - name: Check for area label
         if: always()
         run: |
-          gh api --jq '.labels.[].name' /repos/${{ github.repository }}/pulls/${{ github.event.number }} | \
+          gh api --jq '.labels.[].name' /repos/${REPO}/pulls/${NUMBER} | \
           grep -q '^area\/' || (echo "area label missing"; exit 1)
         env:
           GH_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
 
       - name: Check for kind label
         if: always()
         run: |
-          gh api --jq '.labels.[].name' /repos/${{ github.repository }}/pulls/${{ github.event.number }} | \
+          gh api --jq '.labels.[].name' /repos/${REPO}/pulls/${NUMBER} | \
           grep -q '^kind\/' || (echo "kind label missing"; exit 1)
         env:
           GH_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
 
       - name: Check if kind label matches pr title prefix
         if: always()
         run: |
-          kind_label=$( gh api --jq '.labels.[].name' /repos/${{ github.repository }}/pulls/${{ github.event.number }} | grep '^kind/')
+          kind_label=$( gh api --jq '.labels.[].name' /repos/${REPO}/pulls/${NUMBER} | grep '^kind/')
           kind_label_to_pr_title_prefix='{"kind/bug":"fix","kind/feature":"feat","kind/docs":"docs","kind/chore":"chore","kind/flaky-test":"test","kind/missing-test":"test","kind/failing-test":"test","kind/deps":"deps"}'
           prefix=$(echo $kind_label_to_pr_title_prefix | jq -r ".\"$kind_label\"")
-          echo "${{ github.event.pull_request.title }}" | grep '^'$prefix || (echo "PR title should start with $prefix"; exit 1)
+          echo "$TITLE" | grep '^'$prefix || (echo "PR title should start with $prefix"; exit 1)
         env:
           GH_TOKEN: ${{ github.token }}
+          TITLE: ${{ github.event.pull_request.title }}
+          REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
 
       - name: Check that there is no do-not-merge label
         if: always()
         run: |
-          labels=$(gh api --jq '.labels.[]' /repos/${{ github.repository }}/pulls/${{ github.event.number }} )
+          labels=$(gh api --jq '.labels.[]' /repos/${REPO}/pulls/${NUMBER} )
           echo "Labels found: $( echo $labels | jq -r '.name' )"
 
           ! echo "$labels" | jq 'select(.name | startswith("do-not-merge"))' | jq -n "input.name"
         env:
           GH_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
 
   pr-title-check:
     runs-on: ubuntu-latest