From d0162903490f4dc3dfda0242d498c2f1e70dfea4 Mon Sep 17 00:00:00 2001
From: azhe <xiaosansiji@gmail.com>
Date: Mon, 17 Jul 2023 18:09:44 +0800
Subject: [PATCH] fix: action ci script security (#2372)

---
 .github/workflows/auto-release.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index 924600620..bf103c03b 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -53,12 +53,12 @@ jobs:
       - uses: actions/checkout@v3
         with:
           ref: ${{ steps.comment.outputs.branch }}
-      - run: echo '${{ github.event.comment.body }}'
       - name: Commit and push if needed
+        env:
+          BODY: ${{ github.event.comment.body }}
         run: |
           txt=$(cat CHANGELOG.md)
-          body='${{ github.event.comment.body }}'
-          echo "${txt%%##*}${body}${txt##*---}" > CHANGELOG.md
+          echo "${txt%%##*} $BODY ${txt##*---}" > CHANGELOG.md
           git add .
           git config --local user.email "github-actions[bot]@users.noreply.github.com"
           git config --local user.name "github-actions[bot]"