From 7dc38286c0de1ef10bc5bc262e0a458fd61874b0 Mon Sep 17 00:00:00 2001
From: RinCodeForge927 <dangnhatrin90@gmail.com>
Date: Tue, 13 Jan 2026 20:42:10 +0700
Subject: [PATCH] ci: fix shell injection in backport workflow

---
 .github/workflows/backport-pr.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/backport-pr.yml b/.github/workflows/backport-pr.yml
index c7bcb117e91..de46ca7c730 100644
--- a/.github/workflows/backport-pr.yml
+++ b/.github/workflows/backport-pr.yml
@@ -25,9 +25,11 @@ jobs:
       - uses: actions/checkout@v4
       - name: Get backport metadata
         # the target branch is the first argument after `/backport`
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body }}
         run: |
           set -euo pipefail
-          body="${{ github.event.comment.body }}"
+          body="$COMMENT_BODY"
           
           line=${body%%$'\n'*} # Get the first line
           if [[ $line =~ ^/backport[[:space:]]+([^[:space:]]+) ]]; then