From 7aef394aa88af83882c6a2e483c08d966e8275f4 Mon Sep 17 00:00:00 2001 From: Justus Dieckmann <45795270+justusdieckmann@users.noreply.github.com> Date: Thu, 2 May 2024 13:25:55 +0200 Subject: [PATCH] Shell escape $BODY in the release workflow --- .github/workflows/moodle-release.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/moodle-release.yml b/.github/workflows/moodle-release.yml index abdf51a..80c3ea6 100644 --- a/.github/workflows/moodle-release.yml +++ b/.github/workflows/moodle-release.yml @@ -28,10 +28,11 @@ jobs: steps: - name: Call the service function id: add-version + env: + TAGNAME: ${{ github.event.release.tag_name }} + BODY: ${{ github.event.release.body }} + ZIPURL: ${{ github.event.release.zipball_url }} run: | - TAGNAME="${{ github.event.release.tag_name }}" - BODY="${{ github.event.release.body }}" - ZIPURL="${{ github.event.release.zipball_url }}" RESPONSE=$(${CURL} ${ENDPOINT} --data-urlencode "wstoken=${TOKEN}" \ --data-urlencode "wsfunction=${FUNCTION}" \ --data-urlencode "moodlewsrestformat=json" \ @@ -42,7 +43,7 @@ jobs: --data-urlencode "vcstag=${TAGNAME}" \ --data-urlencode "changelogurl=${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/commits/${TAGNAME}" \ --data-urlencode "altdownloadurl=${ZIPURL}" \ - --data-urlencode "releasenotes=${BODY}" \ + --data-urlencode "releasenotes=${BODY@Q}" \ --data-urlencode "releasenotesformat=4") echo "response=${RESPONSE}" >> $GITHUB_OUTPUT - name: Evaluate the response