From 698ed46f558d8ab3e46e77c7bf655af8844fe419 Mon Sep 17 00:00:00 2001
From: Brandon Mills <btmills@users.noreply.github.com>
Date: Tue, 29 Dec 2020 13:34:40 -0500
Subject: [PATCH] Chore: Use non-interpolating single quotes in Tweet action
 (#74)

RFC #73 originally included backticks around <code>`only`</code>. The
automated tweet omitted "only" and its backticks. I realized that the
`run` action command was using double quotes, so the backticks from the
PR title were being interpreted by the shell as command substitution.
Using single quotes disables any interpolation.

Thankfully only contributors can trigger the automated tweet by labeling
or merging an RFC, and we'd notice something like `curl
example.com?secret=$SECRET`, so this isn't really a security issue.
---
 .github/workflows/tweet-rfc-update.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/tweet-rfc-update.yml b/.github/workflows/tweet-rfc-update.yml
index 42540464..14199460 100644
--- a/.github/workflows/tweet-rfc-update.yml
+++ b/.github/workflows/tweet-rfc-update.yml
@@ -11,7 +11,7 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: 12
-      - run: npx @humanwhocodes/tweet "The RFC '${{ github.event.pull_request.title }}' is now in the ${{ github.event.label.name }} phase.\n\n${{ github.event.pull_request.html_url }}"
+      - run: npx @humanwhocodes/tweet 'The RFC "${{ github.event.pull_request.title }}" is now in the ${{ github.event.label.name }} phase.\n\n${{ github.event.pull_request.html_url }}'
         env:
           TWITTER_CONSUMER_KEY: ${{ secrets.TWITTER_CONSUMER_KEY }}
           TWITTER_CONSUMER_SECRET: ${{ secrets.TWITTER_CONSUMER_SECRET }}
@@ -25,7 +25,7 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: 12
-      - run: npx @humanwhocodes/tweet "The RFC '${{ github.event.pull_request.title }}' has been approved and merged!\n\n${{ github.event.pull_request.html_url }}"
+      - run: npx @humanwhocodes/tweet 'The RFC "${{ github.event.pull_request.title }}" has been approved and merged!\n\n${{ github.event.pull_request.html_url }}'
         env:
           TWITTER_CONSUMER_KEY: ${{ secrets.TWITTER_CONSUMER_KEY }}
           TWITTER_CONSUMER_SECRET: ${{ secrets.TWITTER_CONSUMER_SECRET }}