From c51025a631d8ea4f802ea8bc1571ee4f4ff33df4 Mon Sep 17 00:00:00 2001
From: bharvey88 <8107750+bharvey88@users.noreply.github.com>
Date: Wed, 10 Jun 2026 15:44:35 -0500
Subject: [PATCH] Harden label-check for pull_request_target callers

Pass the PR body via an environment variable instead of interpolating
it into the run script, closing a script-injection vector. This makes
the workflow safe to call from pull_request_target triggers, which
device repos need so label-check works on fork PRs (fork pull_request
runs only get a read-only token and cannot add labels). Drop the
checkout step since no repository files are used.
---
 .github/workflows/label-check.yml | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/label-check.yml b/.github/workflows/label-check.yml
index 833b0c9..3b8929c 100644
--- a/.github/workflows/label-check.yml
+++ b/.github/workflows/label-check.yml
@@ -5,13 +5,16 @@ jobs:
   label-check:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v6
       - name: Write PR Body to File
+        # Pass the body through an environment variable instead of
+        # interpolating it into the script, so PR content can never be
+        # executed as shell code. Required for pull_request_target callers,
+        # which run with a write token. The checkout step was removed
+        # because no repository files are used.
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
         run: |
-          set +H
-          set +o histexpand
-          printf '%s\n' "${{ github.event.pull_request.body }}" > pr_body.txt
+          printf '%s\n' "$PR_BODY" > pr_body.txt
       - name: Determine Single Label
         id: determine_label
         run: |