Pass branch name via env var to prevent script injection (#312)

cbeauchesne · web-flow · commit d4abcbed1ecc · 2026-05-04T18:46:43.000+02:00
diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
@@ -188,7 +188,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - run: mkdir binaries 
-      - run: echo "https://github.com/DataDog/dd-trace-cpp@${{ github.head_ref || github.ref_name }}" > binaries/cpp-load-from-git
+      - run: echo "https://github.com/DataDog/dd-trace-cpp@${BRANCH_NAME}" > binaries/cpp-load-from-git
+        env:
+          BRANCH_NAME: ${{ github.head_ref || github.ref_name }}          
       - name: Save artifact
         uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
