Skip to content

fix: prevent script injection in workflows (release/v0.10.x)#625

Merged
thpierce merged 1 commit intorelease/v0.10.xfrom
fix-github-event-injection-v0.10.x
Feb 10, 2026
Merged

fix: prevent script injection in workflows (release/v0.10.x)#625
thpierce merged 1 commit intorelease/v0.10.xfrom
fix-github-event-injection-v0.10.x

Conversation

@thpierce
Copy link
Copy Markdown
Contributor

@thpierce thpierce commented Feb 10, 2026

Move github.event references to env vars to prevent script injection vulnerabilities in run steps.

This change follows the same pattern as the main branch fix.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@thpierce thpierce requested a review from a team as a code owner February 10, 2026 19:47
@thpierce thpierce added the skip changelog doesn't need a CHANGELOG entry label Feb 10, 2026
@thpierce thpierce force-pushed the fix-github-event-injection-v0.10.x branch 4 times, most recently from 8c4e47b to 178280a Compare February 10, 2026 20:13
@thpierce
fix: prevent script injection in workflows
0f6630b 
Move github.event references to env vars to prevent script injection vulnerabilities in run steps
@thpierce thpierce force-pushed the fix-github-event-injection-v0.10.x branch from 178280a to 0f6630b Compare February 10, 2026 20:14
@thpierce thpierce merged commit 9810022 into release/v0.10.x Feb 10, 2026
7 of 13 checks passed
@thpierce thpierce deleted the fix-github-event-injection-v0.10.x branch February 10, 2026 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

skip changelog doesn't need a CHANGELOG entry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thpierce