Feature Request: checking workflow inputs for Untrusted input

[johnpangalos]

Action lint already does this for the github context, could/should it consider workflow input fields as "untrusted" as well? I don't mind making a PR for this as well if needed.

#19

[rhysd]

Thanks for your suggestion.

I agree that workflow inputs can be untrusted since an untrusted value may be derived from other context properties.

It depends on how the input is used in caller site. For example, using foo in call-workflow1 call, but it is not untrusted in call-workflow2 call.

Caller:

jobs:
  call-workflow1:
    uses: org/repo/.github/workflows/reusable-workflow.yml@main
    with:
      # The input `foo` is untrusted
      foo: ${{ github.event.issue.body }}
  call-workflow2:
    uses: org/repo/.github/workflows/reusable-workflow.yml@main
    with:
      # The input `foo` is not untrusted
      foo: test

Callee:

on:
  workflow_call:
    inputs:
      foo:
        type: string

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      # This `inputs.foo` access may or may not be untrusted
      - run: echo ${{ inputs.foo }}

The option is always reporting that the input is untrusted. This means it would cause so many false-positives since actionlint reports an error whenever any input is used in run:. I agree that it's safer, but it would annoy users.