From 7a0e6c2e9e4d2e8a7babe1deabc996871b952bcb Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 17 Mar 2026 10:17:48 +0000
Subject: [PATCH] fix: Escape PR title in update-changelog workflow to prevent
 command injection

Move variable assignments from run: block to env: block to prevent
bash from interpreting backticks in PR titles as command substitution.

Fixes issue where PR titles like "Remove `v` prefix..." would fail with
"v: command not found" error.

Co-authored-by: DannyvdSluijs <618940+DannyvdSluijs@users.noreply.github.com>
---
 .github/workflows/update-changelog.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/update-changelog.yml b/.github/workflows/update-changelog.yml
index 1095659f..28f967d3 100644
--- a/.github/workflows/update-changelog.yml
+++ b/.github/workflows/update-changelog.yml
@@ -58,13 +58,13 @@ jobs:
           echo "Determined category: $CATEGORY"
 
       - name: "Update CHANGELOG.md"
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          CATEGORY: ${{ steps.category.outputs.category }}
+          GITHUB_REPOSITORY_URL: "https://github.com/${{ github.repository }}"
         run: |
-          PR_TITLE="${{ github.event.pull_request.title }}"
-          PR_NUMBER="${{ github.event.pull_request.number }}"
-          CATEGORY="${{ steps.category.outputs.category }}"
-
           # Use the standalone script to update the changelog
-          export GITHUB_REPOSITORY_URL="https://github.com/${{ github.repository }}"
           ./bin/update-changelog.sh "$PR_TITLE" "$PR_NUMBER" "$CATEGORY"
 
       - name: "Commit and push changes"