Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Avoid shell/template injection when building PR body (Line 46).
steps.commits.outputs.logis injected into a double-quoted shell argument. If a commit message contains shell metacharacters (for example$(...)or quotes), it can be executed/interpreted in this step.🔒 Safer pattern using
--body-file- name: Create PR env: GH_TOKEN: ${{ steps.app-token.outputs.token }} + COMMITS_LOG: ${{ steps.commits.outputs.log }} run: | + { + printf '## Commits being promoted\n\n' + printf '%s\n\n' "$COMMITS_LOG" + printf '> **Merge with rebase** to preserve individual commit messages for semantic-release.\n' + } > pr_body.md + gh pr create \ --base release \ --head main \ --title "feat(release): promote main to stable" \ - --body "## Commits being promoted - - ${{ steps.commits.outputs.log }} - - > **Merge with rebase** to preserve individual commit messages for semantic-release." + --body-file pr_body.md🧰 Tools
🪛 zizmor (1.25.2)
[info] 46-46: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
🤖 Prompt for AI Agents