From 090cc763cb1190ac7f2d3a3c9b69735018f64438 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 28 May 2026 14:38:23 +0900
Subject: [PATCH] ci: read branch refs from env in visreg Percy-branch steps

Both visual-regression workflows build PERCY_BRANCH by interpolating
github.head_ref and github.ref_name directly into a run block. The
runner expands these expressions into the script before bash sees it,
so a pull request opened from a branch with a crafted name could inject
commands into the step.

Move the branch values into a step env block and reference them as
shell variables. The Percy branch resolution is identical; only the
substitution point changes from the script text to the environment.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/visreg-mobile.yml | 9 ++++++---
 .github/workflows/visreg-web.yml    | 7 +++++--
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/visreg-mobile.yml b/.github/workflows/visreg-mobile.yml
index 5c149e1b04..a6ac1a7a59 100644
--- a/.github/workflows/visreg-mobile.yml
+++ b/.github/workflows/visreg-mobile.yml
@@ -107,14 +107,17 @@ jobs:
       - uses: ./.github/actions/setup
 
       - name: Set Percy branch
+        env:
+          BRANCH_INPUT: ${{ inputs.branch }}
+          HEAD_REF: ${{ github.head_ref }}
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          BRANCH_INPUT="${{ inputs.branch }}"
           if [[ -n "$BRANCH_INPUT" ]]; then
             echo "PERCY_BRANCH=$BRANCH_INPUT" >> "$GITHUB_ENV"
           elif [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            echo "PERCY_BRANCH=${{ github.head_ref }}" >> "$GITHUB_ENV"
+            echo "PERCY_BRANCH=$HEAD_REF" >> "$GITHUB_ENV"
           else
-            echo "PERCY_BRANCH=${{ github.ref_name }}" >> "$GITHUB_ENV"
+            echo "PERCY_BRANCH=$REF_NAME" >> "$GITHUB_ENV"
           fi
 
       - name: Install Maestro
diff --git a/.github/workflows/visreg-web.yml b/.github/workflows/visreg-web.yml
index b322bfa8b3..16ebdd78d4 100644
--- a/.github/workflows/visreg-web.yml
+++ b/.github/workflows/visreg-web.yml
@@ -35,11 +35,14 @@ jobs:
       - uses: ./.github/actions/setup
       - name: Set branch name for Percy
         id: set_branch
+        env:
+          HEAD_REF: ${{ github.head_ref }}
+          REF_NAME: ${{ github.ref_name }}
         run: |
           if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            echo "PERCY_BRANCH=${{ github.head_ref }}" >> "$GITHUB_ENV"
+            echo "PERCY_BRANCH=$HEAD_REF" >> "$GITHUB_ENV"
           else
-            echo "PERCY_BRANCH=${{ github.ref_name }}" >> "$GITHUB_ENV"
+            echo "PERCY_BRANCH=$REF_NAME" >> "$GITHUB_ENV"
           fi
       - name: Evaluate Visreg Web Should Run
         id: visreg-should-run