From c2739789e1ad3971d3b68fd0467a596958d6241b Mon Sep 17 00:00:00 2001
From: Keshav Malik <33570148+theinfosecguy@users.noreply.github.com>
Date: Fri, 27 Mar 2026 13:25:19 +0530
Subject: [PATCH] Sanitize branch ref handling in test workflow shell step.

Route the branch reference through an environment variable and print it with printf so branch names are treated as data instead of shell syntax.

Made-with: Cursor
---
 .github/workflows/test.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 1209ca2057d..0c5e58df8e2 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -44,10 +44,12 @@ jobs:
 
       - name: Commit info
         id: info
+        env:
+          HEAD_REF: ${{ github.head_ref || github.ref }}
         run: |
           echo ref="${{ steps.checkout-pr.outputs.ref || steps.checkout-push.outputs.ref }}" >> $GITHUB_OUTPUT
           echo commit="${{ steps.checkout-pr.outputs.commit || steps.checkout-push.outputs.commit }}" >> $GITHUB_OUTPUT
-          echo branch="${{ github.head_ref || github.ref }}" >> $GITHUB_OUTPUT
+          printf 'branch=%s\n' "$HEAD_REF" >> "$GITHUB_OUTPUT"
           echo fork="${{ (github.event.pull_request && github.event.pull_request.head.repo.owner.login != github.repository_owner) && github.event.pull_request.head.repo.owner.login || null }}" >> $GITHUB_OUTPUT
           echo base-branch="${{ github.event.pull_request.base.ref || github.ref }}" >> $GITHUB_OUTPUT
           echo base-commit="${{ github.event.pull_request.base.sha || github.event.before }}" >> $GITHUB_OUTPUT