From 20e87b82f896e43ec20d48a7d03bcaa7084420d9 Mon Sep 17 00:00:00 2001
From: Nick Le Large <nick.lelarge@kit.edu>
Date: Thu, 21 Nov 2024 07:58:39 +0100
Subject: [PATCH] Sanitize input in workflow already

Reference:
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
---
 ...ump-version-and-create-release-and-push-docker-images.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/bump-version-and-create-release-and-push-docker-images.yaml b/.github/workflows/bump-version-and-create-release-and-push-docker-images.yaml
index 9d4f5461..427e29cb 100644
--- a/.github/workflows/bump-version-and-create-release-and-push-docker-images.yaml
+++ b/.github/workflows/bump-version-and-create-release-and-push-docker-images.yaml
@@ -20,9 +20,11 @@ jobs:
 
       - name: Compute new version
         id: bump_version
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
         run: |
           source version
-          new_version=$(.github/workflows/compute_version.sh "$VERSION" "${{ github.event.pull_request.body }}")
+          new_version=$(.github/workflows/compute_version.sh "$VERSION" "${PR_BODY//[^a-zA-Z0-9#]/}")
           echo "new_version=$new_version" >> $GITHUB_OUTPUT
 
   update-version-file: