From b6c7ce3a9cb2ca80f1cb852be52f0804d6a750e0 Mon Sep 17 00:00:00 2001
From: Christoph Reiter <reiter.christoph@gmail.com>
Date: Fri, 6 Dec 2024 13:47:33 +0100
Subject: [PATCH] CI-hardening: escape the msys2-location output

While that comes from our own action, so we can in theory trust it,
escape it for good measure. Can't hurt and silences a warning.
---
 .github/workflows/build.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d235aaf..ba25226 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -173,7 +173,8 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         GITHUB_TOKEN_READONLY: ${{ secrets.GITHUBTOKENREADONLY }}
         GITHUB_RUN_NAME: ${{ matrix.name }}
+        MSYS2_ROOT: ${{ steps.msys2.outputs.msys2-location }}
       run: |
         $env:VCPKG_ROOT=''
         $BUILD_ROOT='C:\'
-        python -m msys2_autobuild build ${{ matrix.build-args }} '${{ steps.msys2.outputs.msys2-location }}' "$BUILD_ROOT"
+        python -m msys2_autobuild build ${{ matrix.build-args }} "$env:MSYS2_ROOT" "$BUILD_ROOT"