From e55d439e364d74001c66a533c0187bb433f5b079 Mon Sep 17 00:00:00 2001
From: Eric Black <eblack@salesforce.com>
Date: Thu, 11 Jun 2026 14:05:56 -0700
Subject: [PATCH] chore: pass PR title via env in pr-title-check workflow

Read the PR title from an environment variable instead of inlining it
into the run script, following GitHub Actions guidance for handling
untrusted input.
---
 .github/workflows/pr-title-check.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pr-title-check.yml b/.github/workflows/pr-title-check.yml
index f08095884e..fd2677091f 100644
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -9,8 +9,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check PR title follows Conventional Commits
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
         run: |
-          PR_TITLE="${{ github.event.pull_request.title }}"
           echo "Checking PR title: $PR_TITLE"
 
           # Define allowed types