refactor(action): Use environment variables for the input

5ouma · 5ouma · commit 4bc5f0465f5d · 2025-05-16T20:46:01.000+09:00
It prevents malformed injections since GitHub replace the text.
diff --git a/action.yml b/action.yml
@@ -25,11 +25,12 @@ runs:
       cd "${GITHUB_WORKSPACE}" || exit 1
       TEMP_PATH="$(mktemp -d)"
       PATH="${TEMP_PATH}:$PATH"
-      curl -sfL "https://raw.githubusercontent.com/Songmu/tagpr/${ACTION_REF}/install.sh" | sh -s -- -b "$TEMP_PATH" "${{ inputs.version }}" 2>&1
+      curl -sfL "https://raw.githubusercontent.com/Songmu/tagpr/${ACTION_REF}/install.sh" | sh -s -- -b "$TEMP_PATH" "$TAGPR_VERSION" 2>&1
       tagpr
     shell: bash
     env:
       ACTION_REF: ${{ github.action_ref }}
+      TAGPR_VERSION: ${{ inputs.version }}
       TAGPR_CONFIG_FILE: ${{ inputs.config }}
 branding:
   icon: 'git-pull-request'
