Skip to content

GitHub Action Unsecure Commands

Ensure that GitHub Actions do not enable deprecated unsecure commands. If enabled and untrusted output is logged, the deprecated commands set-env and add-path could be used to compromise the execution of the workflow.

Examples

Insecure Example

steps:
- env:
    ACTIONS_ALLOW_UNSECURE_COMMANDS: true
    ISSUE_TITLE: ${{ github.event.issue.title }}
  run: |
    echo "$ISSUE_TITLE"

Secure Example

Remove all usage of ACTIONS_ALLOW_UNSECURE_COMMANDS.

steps:
- env:
    ISSUE_TITLE: ${{ github.event.issue.title }}
  run: |
    echo "$ISSUE_TITLE"