Update documentation example usage to avoid executing untrusted inputs

[JackPGreen]

The example shown in the documentation:

return-dispatch/README.md

Lines 67 to 68 in 16fa9d1

	- name: echo distinct ID ${{ github.event.inputs.distinct_id }}
	run: echo ${{ github.event.inputs.distinct_id }}

Is vulnerable to untrusted input execution (i.e. distinct_id could be a malicious command). See this document (specifically - Remediation) for more details.

Also, the command can be simplified as inputs.blah is equivalent to github.event.inputs.blah, but also handles workflow_call inputs.

Summary by CodeRabbit

• Documentation
  • Updated workflow example in README to demonstrate improved handling of workflow inputs using environment variables instead of direct interpolation.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f4ab0325-0eda-4c72-986e-9e37255781cd

📥 Commits

Reviewing files that changed from the base of the PR and between 16fa9d1 and fbb366a.

📒 Files selected for processing (1)

• README.md

---

📝 Walkthrough

Walkthrough

The README.md file updates a GitHub Actions workflow example showing how to receive repository inputs. The step that prints distinct_id changes from using github.event.inputs.distinct_id to inputs.distinct_id, and refactors to access the value via an environment variable instead of direct interpolation.

Changes

Cohort / File(s)	Summary
Documentation README.md	Updated GitHub Actions workflow example to use inputs.distinct_id and pass the value through an environment variable (DISTINCT_ID) instead of direct command interpolation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A workflow so fine, now cleaner and bright,
With inputs accessed in the proper light,
Through env variables we gently convey,
The distinct_id flows in the GitHub way! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: updating documentation examples to prevent execution of untrusted inputs, which matches the core security improvement in the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can suggest fixes for GitHub Check annotations.

Configure the reviews.tools.github-checks setting to adjust the time to wait for GitHub Checks to complete.

[Codex-]

Thanks!