From 4a32d4aa645475ebe1e8980d7a299d87a9ed6c8c Mon Sep 17 00:00:00 2001
From: Warren He <w@oasislabs.com>
Date: Tue, 30 Apr 2024 10:47:22 -0700
Subject: [PATCH 1/3] ci: use env to pass PR title

---
 .changelog/527.internal.md          | 1 +
 .github/workflows/ci-dependabot.yml | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 .changelog/527.internal.md

diff --git a/.changelog/527.internal.md b/.changelog/527.internal.md
new file mode 100644
index 00000000..c382557e
--- /dev/null
+++ b/.changelog/527.internal.md
@@ -0,0 +1 @@
+CI: fix command injection plus other changes
diff --git a/.github/workflows/ci-dependabot.yml b/.github/workflows/ci-dependabot.yml
index abb380a4..5898f28b 100644
--- a/.github/workflows/ci-dependabot.yml
+++ b/.github/workflows/ci-dependabot.yml
@@ -33,8 +33,13 @@ jobs:
         run: |
           echo "FILE_NAME=.changelog/${{ github.event.pull_request.number }}.internal.md" >> $GITHUB_OUTPUT
       - name: Create Change Log file
+        env:
+          # There's no support for escaping this for use in a shell command.
+          # GitHub's recommendation is to pass it through the environment.
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
-          echo ${{ github.event.pull_request.title }} > ${{ steps.vars.outputs.FILE_NAME }}
+          echo "$TITLE" > ${{ steps.vars.outputs.FILE_NAME }}
       - name: Commit Change Log file
         run: |
           # Set git user email and name to match author of the last commit.

From d267081070e78d0552ffa461f84f2337992f803e Mon Sep 17 00:00:00 2001
From: Warren He <w@oasislabs.com>
Date: Tue, 30 Apr 2024 10:47:48 -0700
Subject: [PATCH 2/3] ci: use env var instead of command string interpolation

---
 .github/workflows/ci-dependabot.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci-dependabot.yml b/.github/workflows/ci-dependabot.yml
index 5898f28b..af3ec035 100644
--- a/.github/workflows/ci-dependabot.yml
+++ b/.github/workflows/ci-dependabot.yml
@@ -49,4 +49,4 @@ jobs:
           git commit --amend --no-edit
       - name: Push changes back to branch
         run: |
-          git push --force-with-lease origin HEAD:refs/heads/${{ github.head_ref }}
+          git push --force-with-lease origin "HEAD:refs/heads/$GITHUB_HEAD_REF"

From 323347cc07174ff117530e46a34a8309752cd569 Mon Sep 17 00:00:00 2001
From: Warren He <w@oasislabs.com>
Date: Tue, 30 Apr 2024 10:48:03 -0700
Subject: [PATCH 3/3] ci: use default environment variable

---
 .github/workflows/ci-lint.yml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci-lint.yml b/.github/workflows/ci-lint.yml
index c593671d..5e3b364b 100644
--- a/.github/workflows/ci-lint.yml
+++ b/.github/workflows/ci-lint.yml
@@ -57,10 +57,8 @@ jobs:
         # is able to compare the current branch with the base branch.
         # Source: https://github.com/actions/checkout/#fetch-all-branches.
         run: |
-          git fetch --no-tags origin +refs/heads/${BASE_BRANCH}:refs/remotes/origin/${BASE_BRANCH}
-          towncrier check --compare-with origin/${BASE_BRANCH}
-        env:
-          BASE_BRANCH: ${{ github.base_ref }}
+          git fetch --no-tags origin "+refs/heads/${GITHUB_BASE_REF}:refs/remotes/origin/${GITHUB_BASE_REF}"
+          towncrier check --compare-with "origin/${GITHUB_BASE_REF}"
         if: github.event_name == 'pull_request'
       - name: Lint git commits
         run: |