Skip to content
This repository was archived by the owner on Jul 8, 2026. It is now read-only.

Fix script injection security issues in workflows#44

Merged
martinohansen merged 1 commit into
mainfrom
fix/actionlint-script-injection
Mar 5, 2026
Merged

Fix script injection security issues in workflows#44
martinohansen merged 1 commit into
mainfrom
fix/actionlint-script-injection

Conversation

@martinohansen

Copy link
Copy Markdown
Contributor

Summary

Move untrusted GitHub context values out of inline shell scripts into environment variables to prevent script injection attacks.

Security concern

Directly interpolating ${{ github.head_ref }} or ${{ github.event.pull_request.head.ref }} into run: scripts allows an attacker to inject arbitrary shell commands by naming a branch with a payload like x"; malicious command; echo ".

Fix

Each untrusted value is assigned to an environment variable in the step's env: block and referenced as $VAR_NAME in the script body.

See: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions

Move untrusted GitHub context values to env vars to prevent
script injection attacks per GitHub security best practices.
@github-actions

github-actions Bot commented Mar 4, 2026

Copy link
Copy Markdown

@martinohansen martinohansen merged commit e4527f7 into main Mar 5, 2026
1 check passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants