diff --git a/.github/workflows/docs-preview-prepare.yml b/.github/workflows/docs-preview-prepare.yml
index 74276fba..ffeb783e 100644
--- a/.github/workflows/docs-preview-prepare.yml
+++ b/.github/workflows/docs-preview-prepare.yml
@@ -26,7 +26,7 @@ jobs:
       NETLIFY_SITE_PREFIX: pullrequest-${{ github.event.pull_request.number }}
       NETLIFY_SITE_NAME: dms-doc-previews
     steps:
-      - uses: actions/checkout@v2.3.4
+      - uses: actions/checkout@v2.4.0
 
       - name: 'Build with mkdocs-material via Docker'
         working-directory: docs
@@ -53,12 +53,17 @@ jobs:
       # Minimize risk of upload failure by bundling files to a single compressed archive (tar + zstd).
       # Bundles build dir and env file into a compressed archive, nested file paths will be preserved.
       - name: 'Prepare artifact for transfer'
+        env:
+          # As a precaution, reference this value by an interpolated ENV var;
+          # instead of interpolating user controllable input directly in the shell script..
+          # https://github.com/docker-mailserver/docker-mailserver/issues/2332#issuecomment-998326798
+          PR_TITLE: ${{ github.event.pull_request.title }}
         run: |
           # Save ENV for transfer
           {
             echo "PR_HEADSHA=${{ github.event.pull_request.head.sha }}"
             echo "PR_NUMBER=${{ github.event.pull_request.number }}"
-            echo "PR_TITLE=${{ github.event.pull_request.title }}"
+            echo "PR_TITLE=${PR_TITLE}"
             echo "NETLIFY_SITE_PREFIX=${{ env.NETLIFY_SITE_PREFIX }}"
             echo "BUILD_DIR=${{ env.BUILD_DIR }}"
           } >> pr.env
diff --git a/.github/workflows/docs-production-deploy.yml b/.github/workflows/docs-production-deploy.yml
index 539e4526..cb1aaa01 100644
--- a/.github/workflows/docs-production-deploy.yml
+++ b/.github/workflows/docs-production-deploy.yml
@@ -26,7 +26,7 @@ jobs:
     name: 'Deploy Docs'
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2.3.4
+      - uses: actions/checkout@v2.4.0
 
       - name: 'Check if deploy is for a `v<major>.<minor>` tag version instead of `edge`'
         if: startsWith(github.ref, 'refs/tags/')
@@ -75,10 +75,10 @@ jobs:
     needs: deploy
     steps:
       - name: 'Checkout the tagged commit (shallow clone)'
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v2.4.0
 
       - name: 'Checkout the docs deployment branch to a subdirectory'
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v2.4.0
         with:
           ref: gh-pages
           path: gh-pages