Put a single-line EOF in your pull request body, follow it up with a completely arbitrary set of Bash commands, whatever you damn well like, put all the environment variables with the repository secrets into a webhook request and send them off somewhere, make sure you terminate it with another cat > /dev/null << 'EOF' to match the other EOF. Now you can compromise the entire project by raising a pull request.
Oh sweet baby Jesus. That is some astonishing code for validating the title and body of a PR.
- name: Create PR message file run: | mkdir -p /tmp cat > /tmp/pr-message.txt << 'EOF' ${{ github.event.pull_request.title }} ${{ github.event.pull_request.body }} EOFPut a single-line
EOFin your pull request body, follow it up with a completely arbitrary set of Bash commands, whatever you damn well like, put all the environment variables with the repository secrets into a webhook request and send them off somewhere, make sure you terminate it with anothercat > /dev/null << 'EOF'to match the other EOF. Now you can compromise the entire project by raising a pull request.