From 8eccdc0a23e0c19b7ad2b166dcc4d467e9cb31be Mon Sep 17 00:00:00 2001
From: dagecko <cnyhuis@vigilantnow.com>
Date: Sat, 28 Mar 2026 13:34:29 -0400
Subject: [PATCH] fix: quote env var references in run blocks

Did some research into the CodeQL envvar-injection-critical guidance
(https://codeql.github.com/codeql-query-help/actions/actions-envvar-injection-critical/)
and wanted to add this additional change to prevent shell injection
through attacker-controllable values like ref names and workflow inputs,
and to prevent unexpected behavior from special characters in secret values.

Before: echo ${REF_NAME}
After:  echo "${REF_NAME}"
---
 .github/workflows/update-version.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/update-version.yml b/.github/workflows/update-version.yml
index 3b9ed0f9a..5c0848286 100644
--- a/.github/workflows/update-version.yml
+++ b/.github/workflows/update-version.yml
@@ -52,11 +52,11 @@ jobs:
         run: |
           git config --local user.name "github-actions"
           git config --local user.email "github-actions@github.com"
-          git fetch origin ${HEAD_REF}
-          git checkout -B ${HEAD_REF} origin/${HEAD_REF}
+          git fetch origin "${HEAD_REF}"
+          git checkout -B "${HEAD_REF}" "origin/${HEAD_REF}"
           git add comfyui_version.py
           git diff --quiet && git diff --staged --quiet || git commit -m "chore: Update comfyui_version.py to match pyproject.toml"
-          git push origin HEAD:${HEAD_REF}
+          git push origin "HEAD:${HEAD_REF}"
 
         env:
           HEAD_REF: ${{ github.head_ref }}
\ No newline at end of file