False positive warning for using github.head_ref in if statement

[ryo-kozin]

Description:

When using actionlint to check GitHub Actions workflows, I encountered a warning indicating that github.head_ref is potentially untrusted when used directly in an inline script. However, this warning appears even when github.head_ref is used inside an if statement in the workflow file.

Command Executed and Output:

I ran the following command to check my workflow file:

% actionlint

And received the following warning:

.github/workflows/xxx.yml:5:5: "github.head_ref" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions for more details [expression]

Why this is not an issue:

• The if statement in GitHub Actions workflows is evaluated by GitHub’s internal engine, not as part of a shell script. Therefore, it does not pose a security risk.
• Using ${{ github.head_ref }} inside an if condition does not expose the workflow to script injection vulnerabilities because it is not executed in a shell environment.

Suggestion:

It would be helpful if actionlint could differentiate between uses of ${{ github.head_ref }} in if conditions and actual inline scripts. This way, only genuine security risks are flagged, reducing false positives.

References:

1. GitHub Actions: Using conditions to control job execution The documentation clarifies that expressions used in if conditions are evaluated by the GitHub Actions engine and do not directly execute in a shell. Using conditions to control job execution

2. GitHub Actions: Security hardening for GitHub Actions This document provides best practices for security in GitHub Actions and explains that untrusted input should be avoided in shell scripts. However, it does not apply to expressions used in workflow conditions. Security Hardening for GitHub Actions

Example of current false positive:

jobs:
  example-job:
    runs-on: ubuntu-latest
    if: ${{ github.event_name == 'pull_request' && startsWith(github.head_ref, 'test/') }}
    steps:
      - name: Do something
        run: echo "This is safe"

In this example, using github.head_ref in the if statement should not trigger a security warning.

Thank you for considering this improvement.

[rhysd]

Your example doesn't reproduce this issue.

https://rhysd.github.io/actionlint/#eJwtjsEKwjAQRO/9ikGkUbB6D/TmJwgeS6rbJtImtbsRofTfTWthL8O8fUzwGkNkm2WvULPOAPqafuioSHmJwBg9FyFxsY5eYtEZIZa1co3GfprQOrGxPtOHvFTe9ISyhBpi11UjvWPCFfIcLGYUvif4sH1YMs+ENCeoRXpRR8zzqmahgf8DgAKLVOMawKEnsc63W7Xu06CHDdjdrGOkY9PQ7gdfd0Ud

Am I misunderstanding something?