From 033af314a79638c214cdbac6315d4b79f95159bd Mon Sep 17 00:00:00 2001
From: Victor Malitskyi <malicvictor@gmail.com>
Date: Mon, 22 Dec 2025 15:42:12 +0100
Subject: [PATCH] Fix vulnerability in cross-repo-issue GitHub action (#4324)

---
 .github/workflows/cross-repo-issue.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/cross-repo-issue.yml b/.github/workflows/cross-repo-issue.yml
index c2288da271a..a2aa9471ecf 100644
--- a/.github/workflows/cross-repo-issue.yml
+++ b/.github/workflows/cross-repo-issue.yml
@@ -23,9 +23,10 @@ jobs:
           github.event.pull_request.merged
         env:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+          PR_TITLE: ${{ github.event.pull_request.title }}
         run: |
           echo -e "A PR was merged over on PBS-Java\n\n- [https://github.com/prebid/prebid-server-java/pull/${{github.event.number}}](https://github.com/prebid/prebid-server-java/pull/${{github.event.number}})\n- timestamp: ${{ github.event.pull_request.merged_at}}" > msg
           export msg=$(cat msg)
-          gh issue create --repo prebid/prebid-server --title "Port PR from PBS-Java: ${{ github.event.pull_request.title }}" \
+          gh issue create --repo prebid/prebid-server --title "Port PR from PBS-Java: $PR_TITLE" \
               --body "$msg" \
               --label auto