From 84715071153d5fe634a5b0e3759e450fe398ac52 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Sun, 28 Dec 2025 20:47:44 -0800
Subject: [PATCH] Fix ref injection in translate-strings workflow

---
 .github/workflows/translate-strings.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/translate-strings.yml b/.github/workflows/translate-strings.yml
index bd9eafae5..2d36d67ca 100644
--- a/.github/workflows/translate-strings.yml
+++ b/.github/workflows/translate-strings.yml
@@ -12,9 +12,11 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
+        env:
+          GH_REF: ${{ github.ref }} # sonar rule:githubactions:S7630 - avoid injection
         with:
           token: ${{ secrets.PNGX_BOT_PAT }}
-          ref: ${{ github.head_ref }}
+          ref: $GH_REF
       - name: Set up Python
         id: setup-python
         uses: actions/setup-python@v6