From b8ae5d85ea54bc9f9c28ce6f06b734fc68a4d47e Mon Sep 17 00:00:00 2001
From: xata-bot <bot@xata.io>
Date: Wed, 4 Mar 2026 13:53:20 +0100
Subject: [PATCH] Fix script injection security issues in workflows

Move untrusted GitHub context values to env vars to prevent
script injection attacks per GitHub security best practices.
---
 .github/workflows/docs_preview.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/docs_preview.yaml b/.github/workflows/docs_preview.yaml
index 0f7a996..1a6f35f 100644
--- a/.github/workflows/docs_preview.yaml
+++ b/.github/workflows/docs_preview.yaml
@@ -8,10 +8,11 @@ jobs:
     steps:
       - name: Generate preview URL
         id: generate_url
+        env:
+          PR_OWNER: ${{ github.event.pull_request.head.repo.owner.login }}
+          PR_BRANCH: ${{ github.event.pull_request.head.ref }}
         run: |
-          PR_OWNER=${{ github.event.pull_request.head.repo.owner.login }}
-          BRANCH=${{ github.event.pull_request.head.ref }}
-          PREVIEW_URL="https://xata.io/next/preview-path?path=/docs-preview/${PR_OWNER}:${BRANCH}/"
+          PREVIEW_URL="https://xata.io/next/preview-path?path=/docs-preview/${PR_OWNER}:${PR_BRANCH}/"
           echo "preview_url=${PREVIEW_URL}" >> $GITHUB_OUTPUT
 
       - name: Create or update docs preview comment