Avoiding input injection issues #17
Description
ci-cd-intro/.github/workflows/staging.yml
Line 40 in 37cbd0c
It's nice that you keep reminding people about the dangers of things like a random curl somwhere | sh, and there is a similar problem on this line: the use of ${{...}} means that whatever you type as the input is replacing that directly. For example, I can use an input like (console.log(whatever), 123), and it'll blindly run it. Yes, it's minor, since I'd need to be a collaborator to run your actions, but you might assume that as long as you review all of my PRs I cannot read your secrets. Instead, you could just use context.payload.inputs in the code (without ${{...}}s) and be calm knowing that no such trickery can happen...
(Same as the other thing, I guess that editing is impractical, but just wanted to say it since I half-expected you to at least say something about it.)