From be049daf9cfc24688658b3dda1fef96ce69960e6 Mon Sep 17 00:00:00 2001
From: Ben Roberts <me@benroberts.net>
Date: Mon, 5 Jan 2026 20:54:27 +0000
Subject: [PATCH] Prevent shell injection

---
 gitea-pr-comment/action.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gitea-pr-comment/action.yml b/gitea-pr-comment/action.yml
index 5c3f8b0..7feebdd 100644
--- a/gitea-pr-comment/action.yml
+++ b/gitea-pr-comment/action.yml
@@ -96,8 +96,11 @@ runs:
         -t "$GIT_SERVER_TOKEN"
 
     - name: Create pull request comment
+      env:
+        PR: ${{ inputs.pr }}
+        MESSAGE: ${{ inputs.message }}
       shell: bash
       run: >-
         cd "${{ inputs.path || env.GITHUB_WORKSPACE }}" &&
         echo "$PWD" &&
-        tea --debug comment '${{ inputs.pr }}' '${{ inputs.message }}'
+        tea --debug comment "${PR}" "${MESSAGE}"