From 4c14f73e9b2184f4ee7a7ce547866101504f68a7 Mon Sep 17 00:00:00 2001
From: "Doroszlai, Attila" <adoroszlai@apache.org>
Date: Mon, 12 Jan 2026 19:12:05 +0100
Subject: [PATCH] RATIS-2380. repeat-test.yaml is vulnerable to parameter
 injection attacks

---
 .github/workflows/repeat-test.yaml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/repeat-test.yaml b/.github/workflows/repeat-test.yaml
index de787d9291..11b77b1d35 100644
--- a/.github/workflows/repeat-test.yaml
+++ b/.github/workflows/repeat-test.yaml
@@ -55,6 +55,7 @@ jobs:
     outputs:
       matrix: ${{ steps.generate.outputs.matrix }}
       test-spec: ${{ steps.test-spec.outputs.test-spec }}
+      ref: ${{ steps.ref.outputs.ref }}
     steps:
       - id: generate
         name: Generate test matrix
@@ -76,6 +77,12 @@ jobs:
           fi
           echo "Test to be run: $test_spec"
           echo "test-spec=$test_spec" >> $GITHUB_OUTPUT
+      - name: Define checkout ref
+        id: ref
+        run: |
+          echo "ref=$REF" >> $GITHUB_OUTPUT
+        env:
+          REF: ${{ github.event.inputs.ref }}
   test:
     if: ${{ always() }}
     needs:
@@ -90,7 +97,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.inputs.ref }}
+          ref: ${{ needs.prepare.outputs.ref }}
       - name: Cache for maven dependencies
         uses: actions/cache@v4
         with: