Can github.sha expand into attacker-controllable code?

[nedbat]

I got this message:

info[template-injection]: code injection via template expansion
   --> /Users/ned/coverage/trunk/.github/workflows/coverage.yml:206:9
    |
206 |         - name: "Compute info for later steps"
    |           ------------------------------------ info: this step
207 |           id: info
208 |           run: |
    |  _________-
209 | |           export SHA10=$(echo ${{ github.sha }} | cut -c 1-10)
...   |
217 | |           echo "url=https://htmlpreview.github.io/?https://github.com/nedbat/coverage-reports/blob/main/reports/$SLUG/htmlcov/index...
218 | |           echo "branch=${REF#refs/heads/}" >> $GITHUB_ENV
    | |_________________________________________________________- info: github.sha may expand into attacker-controllable code
    |

Can ${{ github.sha }} be attacker-controlled? Isn't it controlled by GitHub, and is only the SHA of the commit? Am I overlooking a particularly sneaky approach? Or does zizmor warn about any value being interpolated into shell commands, regardless of their origin?

[woodruffw]

Nope, that's a false positive! There's a set of known-safe contexts defined here:

https://github.com/woodruffw/zizmor/blob/3345ff3eb162a314690634e73eeb04adf2d49b5e/src/audit/template_injection.rs#L35-L48

...but I forgot to add github.sha. I'll fix that now.

[woodruffw]

Fixed in https://github.com/woodruffw/zizmor/commit/8a933382c6214a80d009a0f6311b6152e15dcd5e.