Fix template injection vulnerabilities in ci-doctor and close-old-discussions workflows

[Copilot]

Fixes High-severity template injection vulnerabilities flagged by zizmor where ${{ github.event.* }} expressions were used directly in shell scripts.

Changes

• shared/discussions-data-fetch.md: Move github.event.repository.name and github.repository_owner to env variables, reference via $REPO_NAME and $REPO_OWNER in GraphQL query
• ci-doctor.md: Replace dynamic ${{ github.workflow }} title-prefix with static "[CI Failure Doctor] "

Before (vulnerable)

run: |
  gh api graphql -f query="
    repository(owner: \"${{ github.repository_owner }}\", name: \"${{ github.event.repository.name }}\") {

After (secure)

env:
  REPO_OWNER: ${{ github.repository_owner }}
  REPO_NAME: ${{ github.event.repository.name }}
run: |
  gh api graphql -f query="
    repository(owner: \"$REPO_OWNER\", name: \"$REPO_NAME\") {

Validated with gh aw compile --zizmor — no template-injection findings.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Fix template injection vulnerabilities in ci-doctor and close-old-discussions workflows</issue_title>
<issue_description>## Objective

Fix High-severity template injection vulnerabilities in ci-doctor.lock.yml and close-old-discussions.lock.yml workflows.

Context

Security Risk: Template injection allows attackers to inject malicious code through issue titles, PR descriptions, or workflow inputs that gets executed with workflow permissions.

Affected Files:

• .github/workflows/ci-doctor.lock.yml (Line 1097)
• .github/workflows/close-old-discussions.lock.yml (Line 546)

Reference: Discussion #5202 - Static Analysis Report

Approach

Move all ${{ github.event.* }} expressions from direct shell interpolation to environment variables.

Pattern to Fix:

❌ Before (Vulnerable):

- name: Process issue
  run: |
    echo "Title: ${{ github.event.issue.title }}"

✅ After (Secure):

- name: Process issue
  env:
    ISSUE_TITLE: ${{ github.event.issue.title }}
  run: |
    echo "Title: $ISSUE_TITLE"

Files to Modify

1. .github/workflows/ci-doctor.md (source workflow)

   • Locate the step at line ~1097 in the compiled output
   • Move GitHub event expressions to env: section

2. .github/workflows/close-old-discussions.md (source workflow)

   • Locate the environment variable setup at line ~546 in compiled output
   • Move untrusted expressions to env: section

3. Recompile workflows:

   gh aw compile ci-doctor
   gh aw compile close-old-discussions

Acceptance Criteria

• All ${{ github.event.* }} expressions moved to environment variables in both workflows
• No direct interpolation of untrusted data in shell scripts
• Workflows compile successfully with gh aw compile
• Static analysis (zizmor) shows no template injection findings for these workflows
• Tests pass after changes

Validation

Run static analysis to verify fix:

gh aw compile ci-doctor --zizmor
gh aw compile close-old-discussions --zizmor

Expected: No High-severity template injection findings.
Related to #5207

AI generated by Plan Command for discussion #5202

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Fix template injection vulnerabilities in ci-doctor and close-old-discussions workflows #5208

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.