fix: Prevent script injection in platform-check action (#5913)

fix-it-felix-sentry[bot] · claude · web-flow · commit bf1cc8cc0c67 · 2026-03-30T08:44:48.000+02:00
Fixes ENG-7182 (parent: VULN-1389) Move input parameters from direct script interpolation to environment variables to prevent potential code injection attacks. This follows GitHub Actions security best practices by treating user input as untrusted and isolating it through environment variables. Changes: - Add env block with PLATFORM, SAMPLE_CHANGED, NEEDS_IOS, NEEDS_ANDROID, NEEDS_WEB - Remove ${{ inputs.* }} interpolations from script body - Update case statement to use environment variables References: - https://linear.app/getsentry/issue/VULN-1389 - https://linear.app/getsentry/issue/ENG-7182 - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections Co-authored-by: fix-it-felix-sentry[bot] <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
diff --git a/.github/actions/platform-check/action.yml b/.github/actions/platform-check/action.yml
@@ -32,10 +32,13 @@ runs:
     - name: Check if platform is needed
       id: check
       shell: bash
+      env:
+        PLATFORM: ${{ inputs.platform }}
+        SAMPLE_CHANGED: ${{ inputs.sample_changed }}
+        NEEDS_IOS: ${{ inputs.needs_ios }}
+        NEEDS_ANDROID: ${{ inputs.needs_android }}
+        NEEDS_WEB: ${{ inputs.needs_web }}
       run: |
-        PLATFORM="${{ inputs.platform }}"
-        SAMPLE_CHANGED="${{ inputs.sample_changed }}"
-
         if [[ "$SAMPLE_CHANGED" == "true" ]]; then
           echo "skip=false" >> "$GITHUB_OUTPUT"
           echo "Sample app changed — building/testing $PLATFORM."
@@ -44,9 +47,9 @@ runs:
 
         # macOS uses the iOS change-detection flag
         case "$PLATFORM" in
-          ios|macos) NEEDS="${{ inputs.needs_ios }}" ;;
-          android)   NEEDS="${{ inputs.needs_android }}" ;;
-          web)       NEEDS="${{ inputs.needs_web }}" ;;
+          ios|macos) NEEDS="$NEEDS_IOS" ;;
+          android)   NEEDS="$NEEDS_ANDROID" ;;
+          web)       NEEDS="$NEEDS_WEB" ;;
           *)
             echo "::warning::Unknown platform '$PLATFORM' — not skipping."
             echo "skip=false" >> "$GITHUB_OUTPUT"
