In early November, Google publicly revealed a “high-severity” security vulnerability that its Project Zero team discovered on Microsoft-owned GitHub. After being privately disclosed to GitHub and allowing time to correct the issue. As a result and after the term proposed by Project Zero, Google disclosed it publicly.
104 days later, GitHub finally fixed the problem
The flaw made mention of GitHub’s workflow command functionality. What is the community between the executor of the actions and the actions executed. This is part of the Actions feature on GitHub. The folks at Project Zero at Google claimed the feature was ‘fundamentally unsafe’, and the group member who reported the issue, Felix Wilhelm, offered up to 2 possible solutions, one of which is a solution. short term, and another is a long term solution.
It looks like GitHub has taken the short-term solution, at least for now. The status of GitHub release notes:
Disable set-env and add-path Old Runner commands Update dotnet install scripts Update runner version and release notes