From 2327fd04a3148198fa69e5d04e7b1c725fe2ef28 Mon Sep 17 00:00:00 2001 From: Matt Aitchison Date: Wed, 25 Feb 2026 16:15:37 -0600 Subject: [PATCH] ci: quote github.base_ref in shell to prevent injection --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 8f858b995..214c5f2f5 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -104,7 +104,7 @@ jobs: DURATIONS_ARG="" if [ -f "$DURATION_FILE" ]; then - if git diff origin/${{ github.base_ref }}...HEAD --name-only 2>/dev/null | grep -q "^lib/.*/tests/.*\.py$"; then + if git diff "origin/${{ github.base_ref }}...HEAD" --name-only 2>/dev/null | grep -q "^lib/.*/tests/.*\.py$"; then echo "::notice::Test files changed — using even splitting" else echo "::notice::Using cached test durations for optimal splitting"