From faaa7c6f68182ed0a4a7ff7372153d3f6173ab66 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 22 Aug 2025 12:54:31 +0000
Subject: [PATCH 1/2] Initial plan


From 5a8e67aeb50648ac8c3211524a24152c3709c7aa Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 22 Aug 2025 13:00:45 +0000
Subject: [PATCH 2/2] Fix security vulnerability: use environment variable
 instead of direct interpolation

Co-authored-by: ingfromcreditas <205355764+ingfromcreditas@users.noreply.github.com>
---
 action.sh  | 4 ++--
 action.yml | 4 +++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/action.sh b/action.sh
index d4109b4..7dad614 100755
--- a/action.sh
+++ b/action.sh
@@ -4,10 +4,10 @@ echo "Running Netlify CLI command..."
 
 npx netlify-cli@20 --help
 
-echo "> npx netlify-cli@20 $*"
+echo "> npx netlify-cli@20 $1"
 
 set -o pipefail
-OUTPUT=$(bash -c "npx netlify-cli@20 $*" | tr '\n' ' ') || exit $?
+OUTPUT=$(bash -c "npx netlify-cli@20 $1" | tr '\n' ' ') || exit $?
 set +o pipefail
 
 echo "Done!"
diff --git a/action.yml b/action.yml
index 33c61f3..2247589 100644
--- a/action.yml
+++ b/action.yml
@@ -12,8 +12,10 @@ runs:
   using: composite
   steps:
     - id: script
-      run: $GITHUB_ACTION_PATH/action.sh ${{ inputs.args }}
+      run: $GITHUB_ACTION_PATH/action.sh "$NETLIFY_ARGS"
       shell: bash
+      env:
+        NETLIFY_ARGS: ${{ inputs.args }}
 outputs:
   NETLIFY_OUTPUT:
     description: "Raw Netlify CLI output message"