Skip to content

GitHub Action uses inputs

Checks for GitHub Action that runs on the event workflow_dispatch and defines inputs that may change the behavior of the workflow. To ensure the workflow execution is deterministic, avoid using workflow inputs. If inputs cannot be removed, ensure input variables are safely used throughout the workflow.

Examples

Insecure Example

on:
  workflow_dispatch:
    inputs:
      artifact_url:
        type: string
        required: true

jobs:
  download:
    runs-on: ubuntu-latest
    steps:
      - env:
          URL: ${{ inputs.artifact_url }}
        run: |
          wget "$URL" > artifact.tar.gz
          tar -xvf artifact.tar.gz

      - run: npm install

Secure Example

Avoid using workflow_dispatch inputs.