From 0809ef13e265c1c12b50e8bb71762a89d27eb387 Mon Sep 17 00:00:00 2001
From: Abhijeet Prasad <aprasad@sentry.io>
Date: Mon, 9 Jun 2025 11:44:56 -0400
Subject: [PATCH] build: Fix command injection possibility in playwright GHA

---
 .github/actions/install-playwright/action.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/actions/install-playwright/action.yml b/.github/actions/install-playwright/action.yml
index b0a9302845d5..8ca47ce04081 100644
--- a/.github/actions/install-playwright/action.yml
+++ b/.github/actions/install-playwright/action.yml
@@ -34,7 +34,9 @@ runs:
       working-directory: ${{ inputs.cwd }}
 
     - name: Install Playwright system dependencies only (cached)
-      run: npx playwright install-deps ${{ inputs.browsers || 'chromium webkit firefox' }}
+      env:
+        PLAYWRIGHT_BROWSERS: ${{ inputs.browsers || 'chromium webkit firefox' }}
+      run: npx playwright install-deps "$PLAYWRIGHT_BROWSERS"
       if: steps.playwright-cache.outputs.cache-hit == 'true'
       shell: bash
       working-directory: ${{ inputs.cwd }}