This PR avoids running malicious inputs as shell commands in the GitHub Actions.
Although the most input values are entered by devs who have access to their repo, which means it's almost unlikely to be vulnerable to such attacks, it would be better to fix it.
Changes proposed in this Pull Request:
This PR avoids running malicious inputs as shell commands in the GitHub Actions.
Although the most input values are entered by devs who have access to their repo, which means it's almost unlikely to be vulnerable to such attacks, it would be better to fix it.
Ref: https://securitylab.github.com/research/github-actions-untrusted-input/
Detailed test instructions:
π Workflows for managing test build
π
automerge-released-trunk
actionI don't prepare a test for this as it uses the same fix as https://github.com/woocommerce/google-listings-and-ads/pull/2394
π
eslint-annotation
andstylelint-annotation
actionseslint-annotation
andstylelint-annotation
actionsπ
prepare-extension-release
actionπ
merge-trunk-develop-pr
actionsπ
prepare-node
andprepare-php
actionsprepare-node
action.prepare-php
action uses the same fix so I believe it should work as well.π
run-qit-annotate
actionrun-qit-annotate
action of this PR