From 4682145562fccea36f19499777231364ca4f2f00 Mon Sep 17 00:00:00 2001
From: melissag-ensemble <melissag@ensemble.com>
Date: Tue, 26 May 2026 09:43:39 -0700
Subject: [PATCH] fix: prevent shell injection from context expressions in run
 blocks

---
 .github/workflows/lint.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 8c66a80..bec32fe 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -15,8 +15,10 @@ jobs:
 
       - name: Check for src/pages changes
         id: changes
+        env:
+          BASE_REF: ${{ github.base_ref }}
         run: |
-          git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -q '^src/pages/' \
+          git diff --name-only "origin/${BASE_REF}...HEAD" | grep -q '^src/pages/' \
             && echo "changed=true" >> $GITHUB_OUTPUT \
             || echo "changed=false" >> $GITHUB_OUTPUT
 
@@ -28,7 +30,9 @@ jobs:
 
       - name: Save PR number
         if: always()
-        run: echo "${{ github.event.pull_request.number }}" > pr-number.txt
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: echo "$PR_NUMBER" > pr-number.txt
 
       - name: Upload linter report
         if: always()