GitHub Action uses inputs¶
Checks for GitHub Action that runs on the event workflow_dispatch
and defines inputs that may change the behavior of the workflow. To ensure the workflow execution is deterministic, avoid using workflow inputs. If inputs cannot be removed, ensure input variables are safely used throughout the workflow.
Examples¶
Insecure Example
on:
workflow_dispatch:
inputs:
artifact_url:
type: string
required: true
jobs:
download:
runs-on: ubuntu-latest
steps:
- env:
URL: ${{ inputs.artifact_url }}
run: |
wget "$URL" > artifact.tar.gz
tar -xvf artifact.tar.gz
- run: npm install
Secure Example
Avoid using workflow_dispatch
inputs.