Impact
(Shell injection) An attacker can execute arbitrary (*) shell commands if they can control the value of the tag input or manage to alter the value of the GITHUB_REF environment variable.
Patches
The problem has been patched in v1.0.1.
Workarounds
If you don't use the tag input you are most likely safe. The GITHUB_REF environment variable is protected by the GitHub Actions environment so attacks from there should be impossible.
If you must use the tag input and cannot upgrade to > 1.0.0 make sure that the value is not controlled by another Action.
(*): within the scope of what is allowed by GitHub Actions.
Impact
(Shell injection) An attacker can execute arbitrary (*) shell commands if they can control the value of the
taginput or manage to alter the value of theGITHUB_REFenvironment variable.Patches
The problem has been patched in v1.0.1.
Workarounds
If you don't use the
taginput you are most likely safe. TheGITHUB_REFenvironment variable is protected by the GitHub Actions environment so attacks from there should be impossible.If you must use the
taginput and cannot upgrade to> 1.0.0make sure that the value is not controlled by another Action.(*): within the scope of what is allowed by GitHub Actions.