diff --git a/.github/workflows/automerge.js b/.github/workflows/automerge.js
index 7759971d9a..4cb5edd78f 100644
--- a/.github/workflows/automerge.js
+++ b/.github/workflows/automerge.js
@@ -1,5 +1,19 @@
 const { exec } = require('node:child_process');
-const [ _node, _automerge, branch, prTitle, actor ] = process.argv;
+const [ _node, _automerge ] = process.argv;
+
+// get these values from env instead of cli args due to RCE issues
+let branch = null;
+let prTitle = null;
+let actor = null;
+if (process.env.HEAD_REF) {
+    branch = process.env.HEAD_REF;
+}
+if (process.env.PR_TITLE) {
+    prTitle = process.env.PR_TITLE;
+}
+if (process.env.GITHUB_ACTOR) {
+    actor = process.env.GITHUB_ACTOR;
+}
 
 console.log({ branch, prTitle, actor });
 
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
index de6ae9887b..eacf8ce746 100644
--- a/.github/workflows/automerge.yml
+++ b/.github/workflows/automerge.yml
@@ -22,8 +22,9 @@ jobs:
       working-directory: ".github/workflows"
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        PR_TITLE: "${{ github.event.pull_request.title }}"
       run: |
-        node automerge.js "${{ github.head_ref }}" "${{ github.event.pull_request.title }}" "${{ github.actor }}"
+        node automerge.js
 
     - name: "Automerge the PR"
       env: