Skip to content

Fix code injection vulnerability in workflow_run.head_branch#23

Merged
digreatbrian merged 6 commits intomainfrom
copilot/add-pypi-publish-workflow
Feb 15, 2026
Merged

Fix code injection vulnerability in workflow_run.head_branch#23
digreatbrian merged 6 commits intomainfrom
copilot/add-pypi-publish-workflow

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 12, 2026
edited
Loading

CodeQL identified unprivileged code injection in github.event.workflow_run.head_branch allowing arbitrary code execution via malicious branch names.

Changes

  • Use environment variable instead of direct GitHub Actions expression interpolation in bash script
  • Prevents shell expansion of untrusted input while preserving existing validation logic

Technical Details

Before (vulnerable):

- name: Extract version from tag
  id: extract_version
  run: |
    TAG_NAME="${{ github.event.workflow_run.head_branch }}"

An attacker could create a branch named $(malicious command) which would execute during interpolation.

After (secure):

- name: Extract version from tag
  id: extract_version
  env:
    HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
  run: |
    TAG_NAME="$HEAD_BRANCH"

Environment variables are not subject to shell expansion, treating malicious input as literal strings.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@digreatbrian
Add pypi-publish.yml workflow with TestPyPI validation
e22eedc 
Co-authored-by: digreatbrian <119015367+digreatbrian@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Feb 12, 2026
View reviewed changes
Comment thread .github/workflows/pypi-publish.yml Fixed
Comment thread .github/workflows/pypi-publish.yml Fixed
Comment thread .github/workflows/pypi-publish.yml Fixed
@digreatbrian
Add security hardening: explicit permissions and secure checkout
fd6751f 
Co-authored-by: digreatbrian <119015367+digreatbrian@users.noreply.github.com>
Copilot AI changed the title [WIP] Add PyPI publish workflow dependent on TestPyPI Add PyPI publish workflow with TestPyPI validation gate Feb 12, 2026
Copilot AI requested a review from digreatbrian February 12, 2026 21:01
@digreatbrian
Install and verify specific tagged version from TestPyPI
9d55a6b 
Co-authored-by: digreatbrian <119015367+digreatbrian@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Feb 12, 2026
View reviewed changes
Comment thread .github/workflows/pypi-publish.yml Fixed
Copilot AI changed the title Add PyPI publish workflow with TestPyPI validation gate Install and verify tagged version in TestPyPI validation Feb 12, 2026
@digreatbrian
Fix security issues and TestPyPI installation command
4e69d1b 
Co-authored-by: digreatbrian <119015367+digreatbrian@users.noreply.github.com>
Copilot AI changed the title Install and verify tagged version in TestPyPI validation Fix security permissions and TestPyPI installation in publish workflows Feb 12, 2026
@digreatbrian
Fix code injection vulnerability in workflow_run.head_branch
9b291a1 
Co-authored-by: digreatbrian <119015367+digreatbrian@users.noreply.github.com>
Copilot AI changed the title Fix security permissions and TestPyPI installation in publish workflows Fix code injection vulnerability in workflow_run.head_branch Feb 15, 2026
@digreatbrian digreatbrian marked this pull request as ready for review February 15, 2026 20:15
@digreatbrian digreatbrian merged commit 99f9847 into main Feb 15, 2026
4 checks passed
@digreatbrian digreatbrian deleted the copilot/add-pypi-publish-workflow branch February 15, 2026 20:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@digreatbrian digreatbrian digreatbrian approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@digreatbrian digreatbrian

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@github-advanced-security @digreatbrian