Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR". Use ${{ }} expressions: GitHub Actions expressions are evaluated outside the shell, so it's safer to use them to handle values like ${{ github.event.inputs.tag }}. Quoting variables: Always wrap variables used in shell commands in double quotes to prevent them from being interpreted as separate commands or options.
- Loading branch information