Skip to content

Fix GitHub Actions script injection vulnerabilities across workflows#1070

Merged
BYVoid merged 2 commits intomasterfrom
copilot/fix-code-scanning-issues
Mar 27, 2026
Merged

Fix GitHub Actions script injection vulnerabilities across workflows#1070
BYVoid merged 2 commits intomasterfrom
copilot/fix-code-scanning-issues

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 27, 2026
edited by BYVoid
Loading

GitHub code scanning alert #14 flagged expression injection vulnerabilities where untrusted/user-controlled context values were interpolated directly into run: scripts via ${{ }}, and secrets were exposed inline in Docker command arguments.

Changes

release-winget.yml — expression injection in PowerShell scripts

User-controlled values (github.event.inputs.version, github.ref_type, github.ref_name, github.repository, steps.version.outputs.value) were embedded directly into PowerShell run: blocks. Moved all to step-level env: and access via $env:VAR:

# Before
run: |
  $value = "${{ github.event.inputs.version }}"
  if (-not $value -and "${{ github.ref_type }}" -eq "tag") { ... }

# After
env:
  INPUT_VERSION: ${{ github.event.inputs.version }}
  GIT_REF_TYPE: ${{ github.ref_type }}
run: |
  $value = $env:INPUT_VERSION
  if (-not $value -and $env:GIT_REF_TYPE -eq "tag") { ... }

python.yml / release-pypi.yml — secret exposed in Docker command line

PYPI_TOKEN was inlined as -e TWINE_PASSWORD=${{ secrets.PYPI_TOKEN }}, putting the secret value in the shell command. Moved to step env: and use Docker's environment inheritance:

# Before
run: |
  docker run ... -e TWINE_PASSWORD=${{ secrets.PYPI_TOKEN }} ...

# After
env:
  TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
run: |
  docker run ... -e TWINE_PASSWORD ...

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@BYVoid
Fix security code scanning alert #14: expression injection in GitHub …
5829e61 
…Actions workflows

Agent-Logs-Url: https://github.com/BYVoid/OpenCC/sessions/31e9f14d-f16c-4187-bfde-264193ae0543

Co-authored-by: BYVoid <245270+BYVoid@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix code scanning issues for all workflows Fix GitHub Actions script injection vulnerabilities across workflows Mar 27, 2026
Copilot AI requested a review from BYVoid March 27, 2026 02:18
@BYVoid BYVoid marked this pull request as ready for review March 27, 2026 02:18
@BYVoid BYVoid merged commit d725a5f into master Mar 27, 2026
31 of 32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@BYVoid BYVoid BYVoid approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@BYVoid BYVoid

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BYVoid