Fix security warning for github.head_ref in bundle-size workflow

AbanoubGhadban · claude · AbanoubGhadban · commit d6cec1a667a8 · 2025-11-30T20:46:46.000+02:00
Move github.head_ref from inline script interpolation to an environment variable to prevent potential command injection attacks from malicious branch names containing shell metacharacters. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/bundle-size.yml b/.github/workflows/bundle-size.yml
@@ -21,9 +21,10 @@ jobs:
 
       - name: Check if branch should skip size check
         id: skip-check
+        env:
+          BRANCH: ${{ github.head_ref }}
         run: |
           SKIP_FILE=".bundle-size-skip-branch"
-          BRANCH="${{ github.head_ref }}"
           SKIP_BRANCH=$(grep -v '^[[:space:]]*#' "$SKIP_FILE" 2>/dev/null | grep -v '^[[:space:]]*$' | tr -d '[:space:]' || echo "")
           if [ "$SKIP_BRANCH" = "$BRANCH" ]; then
             echo "skip=true" >> $GITHUB_OUTPUT
