From ed30a4fc7c03eaf06c74420fbede4e69a41a9aa5 Mon Sep 17 00:00:00 2001
From: "M.V. Hutz" <git@maximhutz.me>
Date: Fri, 3 Apr 2026 14:47:01 +0000
Subject: [PATCH] fix: `check-pr-title` job has prompt injection (#18)

## Description

Currently, the `check-pr-title` job has a security vulnerability. If you give the PR a bad title, the job can run arbitrary code.

## Changes

- Fix prompt injection by pulling the PR title as an environment variable.
- Also, restricted the job to only `pull_request` trigger.

### Design Decisions

- It is better to pull out this job into a separate workflow with a unique trigger, but I chose not to because it is currently only one job.

## Checklist

- [x] Tests pass
- [x] Docs updated

Reviewed-on: https://git.maximhutz.com/tools/go-cuckoo/pulls/18
Co-authored-by: M.V. Hutz <git@maximhutz.me>
Co-committed-by: M.V. Hutz <git@maximhutz.me>
---
 .gitea/workflows/ci.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index b0ef1f8..1024502 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -9,9 +9,11 @@ jobs:
   check-pr-title:
     name: Check PR Title
     runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    env:
+      TITLE: ${{ gitea.event.pull_request.title }}
     steps:
       - run: |
-          TITLE="${{ gitea.event.pull_request.title }}"
           if ! echo "$TITLE" | grep -qE '^(WIP: )?(feat|fix|docs|chore|ci|test|refactor|perf|build|style|revert)(\(.+\))?(!)?: .+'; then
             echo "::error::Pull Request title must follow conventional commits"
             exit 1