KEMBAR78
Clearly document passing inputs to the `script` by joshmgross · Pull Request #603 · actions/github-script · GitHub
Skip to content

Conversation

@joshmgross
Copy link
Contributor

A lot of questions we get around SyntaxErrors are due to misusing Actions Expressions with the script - https://github.com/actions/github-script/issues?q=is:issue%20state:closed%20SyntaxError

This was documented in #126, but I believe it's worth clearly highlighting the security risks of using Actions expressions within the script and moving it up in the README as it's a common scenario.

@Copilot Copilot AI review requested due to automatic review settings May 13, 2025 15:01
@joshmgross joshmgross requested a review from a team as a code owner May 13, 2025 15:01
@joshmgross joshmgross temporarily deployed to debug-integration-test May 13, 2025 15:01 — with GitHub Actions Inactive
@github-actions
Copy link

github-actions bot commented May 13, 2025

Hello from actions/github-script! (23886ca)

Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR clarifies how to safely pass inputs into the script step by using environment variables instead of inline Actions expressions, and highlights the security risks of script injection.

  • Adds a new Passing inputs to the script section with example usage
  • Removes the outdated Use env as input snippet further down in the README

@joshmgross joshmgross temporarily deployed to debug-integration-test May 13, 2025 15:05 — with GitHub Actions Inactive
@joshmgross joshmgross merged commit 5ee2b97 into main May 14, 2025
14 checks passed
@joshmgross joshmgross deleted the joshmgross/document-inputs branch May 14, 2025 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants