You are using a variable which can be controlled by user input, and it may result in command execution on your runners, and secrets extraction by malicious actors.
Since the ${{ github.event.issue.body }} value can be controlled by the user who creates the issue, a malicious actor can inject system command that will run on the GitHub runner while the workflow is in progress and fetch sensitive data which stored there such as GitHub token with write permissions.
You are using a variable which can be controlled by user input, and it may result in command execution on your runners, and secrets extraction by malicious actors.
Since the ${{ github.event.issue.body }} value can be controlled by the user who creates the issue, a malicious actor can inject system command that will run on the GitHub runner while the workflow is in progress and fetch sensitive data which stored there such as GitHub token with write permissions.
More info: https://securitylab.github.com/research/github-actions-untrusted-input/ Example for such scenario: https://github.com/githubevents/open-source-friday/actions/runs/6530510920/job/17729928317