github
`github.action_path` suggests using `cd ${{ ... }}` which is against best practices
Code of Conduct
- [x] I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#github-context
What part(s) of the article would you like to see updated?
| Property name | Type | Description |
|---|---|---|
github.action_path |
string |
The path where an action is located. This property is only supported in composite actions. You can use this path to access files located in the same repository as the action, for example by changing directories to the path: cd ${{ github.action_path }}. |
Additional information
run: should not suggest ${{ ... }} as it's often dangerous, instead people should generally use:
env:
something: ${{ ... }}
run:
use "$something"
The general advice is here: https://docs.github.com/en/actions/reference/security/secure-use#use-an-intermediate-environment-variable
Use an intermediate environment variable For inline scripts, the preferred approach to handling untrusted input is to set the value of the expression to an intermediate environment variable.
while some github context items may be safe, many are not, and it's much safer to tell people to never use them inline as a rule than to offer mixed samples -- people will draw the wrong conclusions leading to unsafe outcomes.