From eeda9c0ffda78f53ad84390ce35ea85eb0ea21a2 Mon Sep 17 00:00:00 2001
From: Mathis Wiehl <mathis.wiehl@jimdo.com>
Date: Wed, 4 Mar 2026 11:56:56 +0100
Subject: [PATCH] Prevent workflow command injection via commit history log

When the action logs commit history to the runner output, any GitHub
Actions workflow commands (e.g. ::set-output::, ::error::, ::warning::)
present in commit messages are interpreted by the runner. This can cause
unexpected side effects or CI failures.

Wrap the history output in a ::stop-commands:: / ::<endtoken>:: pair
so that workflow commands in commit messages are printed literally
instead of being executed.
---
 entrypoint.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/entrypoint.sh b/entrypoint.sh
index 7aaf4c69..f5d5656b 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -166,7 +166,10 @@ declare -A history_type=(
     ["compare"]="$(git log "${tag_commit}".."${commit}" --format=%B)" \
 )
 log=${history_type[${branch_history}]}
+stop_commands_token=$(cat /proc/sys/kernel/random/uuid)
+echo "::stop-commands::${stop_commands_token}"
 printf "History:\n---\n%s\n---\n" "$log"
+echo "::${stop_commands_token}::"
 
 if [ -z "$tagPrefix" ]
 then