Fix command injection vulnerabilities in GitHub Actions workflows

[Copilot]

Three workflows were vulnerable to command injection by interpolating untrusted data directly into shell commands using GitHub expression syntax (${{ ... }}).

Changes

• draft-new-release.yml: Move github.event.inputs.*, github.actor, github.repository, github.run_id, and step outputs to environment variables
• in-progress-feature-workflow.yml: Move steps.extract_issue.outputs.issue to environment variable
• completed-feature-workflow.yml: Move steps.extract_issue.outputs.issue to environment variable

Approach

Instead of:

run: echo "PR title: ${{ github.event.pull_request.title }}"

Use:

env:
  PR_TITLE: ${{ github.event.pull_request.title }}
run: echo "PR title: $PR_TITLE"

This prevents shell interpretation of user-controlled data while maintaining functionality.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Change this workflow to not use user-controlled data directly in a run block.</issue_title>
<issue_description>To prevent command injection in GitHub Actions workflows, avoid directly interpolating untrusted data into shell commands. Instead, use environment variables to safely pass untrusted data without risk of code execution.

The recommended approach is to assign untrusted data to environment variables using the env key, then reference these variables using standard shell variable syntax ($VARIABLE_NAME or ${VARIABLE_NAME}) rather than GitHub’s expression syntax (${{ …​}}).

Noncompliant code example

The following GitHub Action is vulnerable to command injections as it uses untrusted input directly in a run command:

name: Example

on:
  pull_request:
    branches: [ main ]

jobs:
  main:
    runs-on: ubuntu-latest

    steps:
      - name: Example Step
        run: |
          echo "PR title: ${{ github.event.pull_request.title }}" # Noncompliant

Compliant solution

name: Example

on:
  pull_request:
    branches: [ main ]

jobs:
  main:
    runs-on: ubuntu-latest

    steps:
      - name: Example Step
        env:
          PR_TITLE: ${{ github.event.pull_request.title }}
        run: |
          echo "PR title: $PR_TITLE"
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

• Fixes Change this workflow to not use user-controlled data directly in a run block. #300

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud