Merge pull request #6 from doximity/add-security-warning

Add security warning to README

README.md

@@ -5,7 +5,7 @@ branch) or a pull request number.
 
 # Usage
 ```yaml
-- uses: doximity/gh-action-callback-list-files@v0.0.1
+- uses: doximity/gh-action-callback-list-files@v1.0.0
   with:
     # Repository name with owner. For example, doximity/rake-ui
     # Default: ${{ github.repository }}
@@ -38,6 +38,12 @@ branch) or a pull request number.
     #
     # The return of your function is set as the `callback_return` output of this
     # action, allowing you to reference that return value from other steps in your workflow.
+    #
+    # SECURITY WARNING: make sure you only reference trusted inputs from within the callback
+    # below. Because the code is `eval`'d this can pose a code injection risk if misused.
+    # Read more:
+    # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
+    #
     # Default: return filenamesList
     callback: ''
 ```
@@ -49,7 +55,7 @@ branch) or a pull request number.
 ## List all filenames for a pull request
 
 ```yaml
-- uses: doximity/gh-action-callback-list-files@v0.0.1
+- uses: doximity/gh-action-callback-list-files@v1.0.0
   with:
     repository: owner/repo
     pr_number: 250
@@ -58,7 +64,7 @@ branch) or a pull request number.
 ## List all filenames for master HEAD
 
 ```yaml
-- uses: doximity/gh-action-callback-list-files@v0.0.1
+- uses: doximity/gh-action-callback-list-files@v1.0.0
   with:
     repository: owner/repo
     ref: master
@@ -67,7 +73,7 @@ branch) or a pull request number.
 ## Use action's output from another step in a workflow
 
 ```yaml
-- uses: doximity/gh-action-callback-list-files@v0.0.1
+- uses: doximity/gh-action-callback-list-files@v1.0.0
   id: check-for-graphql-changes
   with:
     repository: owner/repo