GitHub Actions escape inputs

Blog Edit

This post goes over how to escape inputs with GitHub Actions to prevent script injections:

Workflow

Let’s say you have the workflow:

# .github/workflows/message.yml
on:
  workflow_dispatch:
    inputs:
      message:
        required: true
jobs:
  message:
    runs-on: ubuntu-latest
    steps:
      - run: echo ${{ inputs.message }}

toJSON

To escape the input with toJSON:

- run: echo ${{ toJSON(inputs.message) }}

Note that toJSON will stringify your input so make sure your quotes are valid.

env

To escape the input with env:

- run: echo $MESSAGE
  env:
    MESSAGE: ${{ inputs.message }}

To preserve newlines, wrap your environment variable in double quotes:

- run: echo "$MESSAGE"
  env:
    MESSAGE: ${{ inputs.message }}

Please support this site and join our Discord!