From 2c4f43ab946b652447ceade6821f8656ec9c2f6e Mon Sep 17 00:00:00 2001
From: "aikido-autofix[bot]"
 <119856028+aikido-autofix[bot]@users.noreply.github.com>
Date: Wed, 30 Apr 2025 23:08:38 +0000
Subject: [PATCH] fix(security): autofix Template Injection in GitHub Workflows
 Action

---
 .github/workflows/chango.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/chango.yml b/.github/workflows/chango.yml
index eb1db8ef440..101350cc983 100644
--- a/.github/workflows/chango.yml
+++ b/.github/workflows/chango.yml
@@ -26,8 +26,10 @@ jobs:
           persist-credentials: true
       - name: Check PR Title
         id: check_title
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
         run: | # zizmor: ignore[template-injection]
-          if [[ "$(echo "${{ github.event.pull_request.title }}" | tr '[:upper:]' '[:lower:]')" =~ ^bump\ version\ to\ .* ]]; then
+          if [[ "$(echo "$PR_TITLE" | tr '[:upper:]' '[:lower:]')" =~ ^bump\ version\ to\ .* ]]; then
             echo "COMMIT_AND_PUSH=false" >> $GITHUB_OUTPUT
             echo "IS_RELEASE_PR=true" >> $GITHUB_OUTPUT
           else