fix: prevent template injection in run: steps (VULN-1652) (#1947) Replace direct inputs.skipvalidation,{{ inputs.skip_validation }}, inputs.skipvalidation,{{ inputs.use_oidc }}, inputs.token,and{{ inputs.token }}, and inputs.token,and{{ env.CODECOV_TOKEN }} interpolation inside run: shell scripts with env-var indirection. GitHub Actions resolves template expressions before the shell sees the script, so any consumer workflow that passes user-controlled data into these inputs could achieve arbitrary command execution on the runner. Moving the values into env: entries and referencing them as $INPUT_* shell variables ensures the shell always treats them as data, not code. Configuration menu Browse the repository at this point in the history
