fix: yaml.github-actions.security.run-shell-injection.run-shell-injection security vulnerability (#43824)

Automated security fix generated by Orbis Security AI Co-authored-by: Ubuntu <ubuntu@ip-172-31-32-15.us-west-2.compute.internal>
2026-05-02 02:49:49 +00:00 · 2026-04-27 19:03:15 +05:30
parent 7e936457e4
commit c128568da0
1 changed files with 7 additions and 5 deletions
--- a/.github/workflows/claude-dedupe-issues.yml
+++ b/.github/workflows/claude-dedupe-issues.yml
@@ -38,10 +38,11 @@ jobs:
        if: always()
        env:
          STATSIG_API_KEY: ${{ secrets.STATSIG_API_KEY }}
+          ISSUE_NUMBER: ${{ github.event.issue.number || inputs.issue_number }}
+          REPO: ${{ github.repository }}
+          TRIGGERED_BY: ${{ github.event_name }}
+          WORKFLOW_RUN_ID: ${{ github.run_id }}
        run: |
-          ISSUE_NUMBER=${{ github.event.issue.number || inputs.issue_number }}
-          REPO=${{ github.repository }}
-          
          if [ -z "$STATSIG_API_KEY" ]; then
            echo "STATSIG_API_KEY not found, skipping Statsig logging"
            exit 0
@@ -51,7 +52,8 @@ jobs:
          EVENT_PAYLOAD=$(jq -n \
            --arg issue_number "$ISSUE_NUMBER" \
            --arg repo "$REPO" \
-            --arg triggered_by "${{ github.event_name }}" \
+            --arg triggered_by "$TRIGGERED_BY" \
+            --arg workflow_run_id "$WORKFLOW_RUN_ID" \
            '{
              events: [{
                eventName: "github_duplicate_comment_added",
@@ -60,7 +62,7 @@ jobs:
                  repository: $repo,
                  issue_number: ($issue_number | tonumber),
                  triggered_by: $triggered_by,
-                  workflow_run_id: "${{ github.run_id }}"
+                  workflow_run_id: $workflow_run_id
                },
                time: (now | floor | tostring)
              }]