[plan] Fix template injection vulnerabilities in ci-doctor and close-old-discussions workflows #5208
Description
Objective
Fix High-severity template injection vulnerabilities in ci-doctor.lock.yml and close-old-discussions.lock.yml workflows.
Context
Security Risk: Template injection allows attackers to inject malicious code through issue titles, PR descriptions, or workflow inputs that gets executed with workflow permissions.
Affected Files:
.github/workflows/ci-doctor.lock.yml(Line 1097).github/workflows/close-old-discussions.lock.yml(Line 546)
Reference: Discussion #5202 - Static Analysis Report
Approach
Move all ${{ github.event.* }} expressions from direct shell interpolation to environment variables.
Pattern to Fix:
❌ Before (Vulnerable):
- name: Process issue
run: |
echo "Title: ${{ github.event.issue.title }}"✅ After (Secure):
- name: Process issue
env:
ISSUE_TITLE: ${{ github.event.issue.title }}
run: |
echo "Title: $ISSUE_TITLE"Files to Modify
-
.github/workflows/ci-doctor.md(source workflow)- Locate the step at line ~1097 in the compiled output
- Move GitHub event expressions to
env:section
-
.github/workflows/close-old-discussions.md(source workflow)- Locate the environment variable setup at line ~546 in compiled output
- Move untrusted expressions to
env:section
-
Recompile workflows:
gh aw compile ci-doctor gh aw compile close-old-discussions
Acceptance Criteria
- All
${{ github.event.* }}expressions moved to environment variables in both workflows - No direct interpolation of untrusted data in shell scripts
- Workflows compile successfully with
gh aw compile - Static analysis (zizmor) shows no template injection findings for these workflows
- Tests pass after changes
Validation
Run static analysis to verify fix:
gh aw compile ci-doctor --zizmor
gh aw compile close-old-discussions --zizmorExpected: No High-severity template injection findings.
Related to #5207
AI generated by Plan Command for discussion #5202