Commands.yml - whitelist sourced variables in apply phase (#18818)

T-Gro · web-flow · commit 2f776924acd7 · 2025-08-11T16:46:15.000+02:00
diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml
@@ -118,7 +118,15 @@ jobs:
       - name: Read metadata
         id: read-meta
         run: |
-          source result
+          run_step_outcome=""
+          hasPatch=""
+          while IFS='=' read -r key value; do
+            case "$key" in
+              run_step_outcome) run_step_outcome="$value" ;;
+              hasPatch) hasPatch="$value" ;;
+              *) echo "Unexpected key: $key" >&2; exit 1 ;;
+            esac
+          done < result
           echo "run_step_outcome=$run_step_outcome" >> $GITHUB_OUTPUT
           echo "hasPatch=$hasPatch" >> $GITHUB_OUTPUT
 
