DO-1766: Remediate GitHub Actions template injection vulnerabilities#123
Merged
TheOrangePuff merged 4 commits intomainfrom Apr 2, 2026
Merged
Conversation
Move all ${{ }} expressions out of run: script blocks into env: blocks
to prevent potential template injection attacks. This applies to inputs,
secrets, and github context fields across all reusable workflows.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
TheOrangePuff
force-pushed
the
fix/DO-1766_remediate_gha_template_injection
branch
from
ea4f7a7 to
cf90875
Compare
ENV_VARS is intentionally passed by calling workflows without requiring a GitHub Environment, as these are reusable workflow_call workflows.
TheOrangePuff
force-pushed
the
fix/DO-1766_remediate_gha_template_injection
branch
from
b6a53d3 to
72af75b
Compare
AdamJHall
reviewed
Apr 2, 2026
AdamJHall
previously approved these changes
Apr 2, 2026
AdamJHall
approved these changes
Apr 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of the proposed changes
Remediates GitHub Actions template injection vulnerabilities across all reusable workflows. All
${{ }}expressions that were directly interpolated insiderun:script blocks have been moved toenv:blocks and referenced via shell environment variables instead.This prevents potential script injection where untrusted GitHub context fields (e.g.
github.event.pull_request.number,github.sha) or workflow inputs could be used to inject arbitrary shell commands.Affected workflows (10 files):
aem-sync-to-cloudmanager-repo.yml—inputs.debug,github.shachangeset-check.yml—inputs.debug,inputs.is-yarn-classicchangeset-release.yml—inputs.debug,inputs.is-yarn-classicmagento-cloud-deploy.yml—github.sha,inputs.debug,secrets.cst-reporting-tokennode-pr.yml—inputs.debug,inputs.is-yarn-classic,inputs.skip-cache,inputs.skip-*,secrets.ENV_VARSnx-serverless-deployment.yml—inputs.debug,inputs.is-yarn-classicphp-quality-checks.yml—inputs.debug,inputs.use-custom-configpwa-deployment.yml—inputs.debug,inputs.preview-mode,inputs.is-yarn-classic,github.event.pull_request.numbers3-deploy.yml—inputs.delete-flagshopify-deploy.yml—inputs.deploy-productionOther solutions considered (if any)
Using
zizmor: ignore[template-injection]annotations was considered but rejected in favour of actually fixing the underlying issue.Notes to reviewers
The fix pattern is consistent across all files: move the
${{ }}expression into anenv:block on the step, then reference it as${ENV_VAR}in the shell script. For ternary expressions like${{ inputs.debug && '--verbose' || '' }}, these have been replaced with explicitifconditionals in the shell script.github.shais replaced with the built-inGITHUB_SHAenvironment variable which GitHub Actions provides automatically.ℹ️ When you've finished leaving feedback, please add a final comment to the PR tagging the author, letting them know that you have finished leaving feedback