From e182e2067ad06c84bb652581b9ccf0dc1bc8263a Mon Sep 17 00:00:00 2001
From: hudeng <hudeng@deepin.org>
Date: Fri, 15 May 2026 15:28:26 +0800
Subject: [PATCH] fix: avoid shell injection via PR body containing backticks

Move PR_BODY to an env variable instead of inline shell
assignment to prevent backticks from being interpreted as
command substitution.

Log:
---
 .github/workflows/commitlint.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
index 6ab35d8b1..8d3e955d8 100644
--- a/.github/workflows/commitlint.yml
+++ b/.github/workflows/commitlint.yml
@@ -14,9 +14,10 @@ jobs:
 
       - name: check PR description for AI co-author pattern
         shell: bash
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
         run: |
           BLOCKED_PATTERN='Co-authored-by:.*ai|Co-authored-by:.*agent|Co-authored-by:.*copilot|Co-authored-by:.*llm|Co-authored-by:.*gpt'
-          PR_BODY="${{ github.event.pull_request.body }}"
           if echo "${PR_BODY}" | grep -Eiq "${BLOCKED_PATTERN}"; then
             echo "FAIL: PR description contains blocked co-author AI pattern." >&2
             echo "Blocked pattern: ${BLOCKED_PATTERN}" >&2