From 6602ab27e1216bb787002152ae359f3b6fa6dcbe Mon Sep 17 00:00:00 2001
From: Idan Horowitz <idan.horowitz@gmail.com>
Date: Sun, 15 Aug 2021 21:50:12 +0300
Subject: [PATCH] CI: Disable variable substitution on input to the twitter
 script

This prevents command injection through backticks in commit messages.
---
 .github/workflows/twitter.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/twitter.yml b/.github/workflows/twitter.yml
index e7ff0f9be2..56d75f9155 100644
--- a/.github/workflows/twitter.yml
+++ b/.github/workflows/twitter.yml
@@ -14,7 +14,7 @@ jobs:
           node-version: '14'
       - run: npm i twit
       - run: |
-          node ${{ github.workspace }}/Meta/tweet-commits.js << EOF
+          node ${{ github.workspace }}/Meta/tweet-commits.js << 'EOF'
           ${{ toJSON(github.event) }}
           EOF
         env: