From ab25c512b0dc1b3021217772be839fc6dbc9f3ba Mon Sep 17 00:00:00 2001
From: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Date: Tue, 3 Mar 2026 18:16:46 +0100
Subject: [PATCH] fix(security): harden GitHub Actions workflows against
 expression injection

Move ${{ }} expressions from run: blocks into step-level env: blocks,
then reference them as properly-quoted shell variables.

Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
---
 .github/workflows/sync_docs.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/sync_docs.yml b/.github/workflows/sync_docs.yml
index b768e5d..44cb98e 100644
--- a/.github/workflows/sync_docs.yml
+++ b/.github/workflows/sync_docs.yml
@@ -26,8 +26,8 @@ jobs:
           token: '${{ secrets.REPO_PAT }}'
       - name: Import docs
         run: |
-          echo "Importing CloudNativePG docs for version: ${{ env.VERSION }}"
-          ./scripts/import_docs.sh "${{ env.VERSION }}"
+          echo "Importing CloudNativePG docs for version: ${VERSION}"
+          ./scripts/import_docs.sh "${VERSION}"
       - name: Commit and push changes
         uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9
         with: