Add security warning to README

doximity · May 2, 2022 · 649c6b6 · 649c6b6
1 parent 3bfd5d0
commit 649c6b6
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -38,6 +38,12 @@ branch) or a pull request number.
     #
     # The return of your function is set as the `callback_return` output of this
     # action, allowing you to reference that return value from other steps in your workflow.
+    #
+    # SECURITY WARNING: make sure you only reference trusted inputs from within the callback
+    # below. Because the code is `eval`'d this can pose a code injection risk if misused.
+    # Read more:
+    # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
+    #
     # Default: return filenamesList
     callback: ''
 ```