From 1fb366d42bf11926bcf7acfc820daab56b9a3271 Mon Sep 17 00:00:00 2001
From: AJ <AJGranowski@users.noreply.github.com>
Date: Thu, 17 Oct 2024 08:50:31 -0700
Subject: [PATCH] Replace github.ref with GITHUB_REF in build.yml scripts
 (#4857)

Data should be separated from code where possible to avoid injection (CWE-78).

* https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
* https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#default-environment-variables
---
 .github/workflows/build.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 03fef25b8..6df666417 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -311,7 +311,7 @@ jobs:
           github.ref == 'refs/heads/hotfix-rc'
         run: |
           # Set proper setup image based on branch
-          case "${{ github.ref }}" in
+          case "$GITHUB_REF" in
             "refs/heads/main")
                 SETUP_IMAGE="$_AZ_REGISTRY/setup:dev"
                 ;;
@@ -528,9 +528,9 @@ jobs:
               workflow_id: 'build-unified.yml',
               ref: 'main',
               inputs: {
-                server_branch: '${{ github.ref }}'
+                server_branch: process.env.GITHUB_REF
               }
-            })
+            });
 
   trigger-k8s-deploy:
     name: Trigger k8s deploy