From 650fb1aa51a1c843c10bc89a11732b45a6345b00 Mon Sep 17 00:00:00 2001
From: "Fred K. Schott" <fkschott@gmail.com>
Date: Mon, 14 Feb 2022 10:43:12 -0800
Subject: [PATCH] fix security issue: untrusted ci output

---
 .github/workflows/issue.yml | 2 --
 .github/workflows/main.yml  | 4 +++-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/issue.yml b/.github/workflows/issue.yml
index e1696570f..df36439f5 100644
--- a/.github/workflows/issue.yml
+++ b/.github/workflows/issue.yml
@@ -12,8 +12,6 @@ jobs:
     runs-on: ubuntu-latest
     name: Auto-assign new issues to projects
     steps:
-    - run: echo "${{github.event.issue.title}}"
-
     - name: Assign Bugs to the Bug Tracker
       uses: srggrs/assign-one-project-github-action@1.2.1
       if: github.event.action == 'opened' && startsWith(github.event.issue.title, '🐛 BUG:')
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 3dc03bf20..e92f0c627 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -20,8 +20,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: setup
+        env:
+          MESSAGE: ${{ github.event.commits[0].message }}
         run:  |
-              TRIMMED=$(echo "${{ github.event.commits[0].message }}" | sed '1!d;q')
+              TRIMMED=$(echo "$MESSAGE" | sed '1!d;q')
               echo "::set-output name=COMMIT_MSG::${TRIMMED}" 
       - name: Send a Discord notification when a PR is merged
         env: