[GH] Fix script injection vulnerability in workflow checkers by himani2411 · Pull Request #7400 · aws/aws-parallelcluster

himani2411 · 2026-05-19T15:56:12Z

Use intermediate environment variables for github.event.pull_request.base.ref instead of inline ${{ }} expressions in run scripts, following GitHub's recommended mitigation for script injection attacks.

Make sure you are pointing to the right branch.
If you're creating a patch for a branch other than develop add the branch name as prefix in the PR title (e.g. [release-3.6]).
Check all commits' messages are clear, describing what and why vs how.
Make sure to have added unit tests or integration tests to cover the new/modified code.
Check if documentation is impacted by this change.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

* Use intermediate environment variables for github.event.pull_request.base.ref instead of inline ${{ }} expressions in run scripts, following GitHub's recommended mitigation for script injection attacks. Reference: https://docs.github.com/en/actions/reference/security/secure-use#use-an-intermediate-environment-variable

himani2411 added the skip-changelog-update Disables the check that enforces changelog updates in PRs label May 19, 2026

himani2411 requested review from a team as code owners May 19, 2026 15:56

himani2411 added the 3.x label May 19, 2026

himani2411 enabled auto-merge (rebase) May 19, 2026 16:01

hanwen-cluster approved these changes May 19, 2026

View reviewed changes

himani2411 merged commit f23e27c into aws:develop May 19, 2026
25 checks passed

Provide feedback