Using variable interpolation ... with github context data in a run step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead use an intermediate environment variable with env to store the data and use the environment variable in the run script. Be sure to use doublequotes the environment variable like this ENVVAR.

Using variable interpolation ... with github context data in a run step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead use an intermediate environment variable with env to store the data and use the environment variable in the run script. Be sure to use doublequotes the environment variable like this ENVVAR.

Using variable interpolation ... with github context data in a run step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead use an intermediate environment variable with env to store the data and use the environment variable in the run script. Be sure to use doublequotes the environment variable like this ENVVAR.