GitHub Workflows Exposed: actionlint & zizmor Enforced After Script Injection Vulnerabilities Found

GitHub has mandated new security validation checks after discovering a class of script injection vulnerabilities within its own internal workflows. The platform is now requiring `actionlint` and `zizmor` as mandatory checks on every pull request that modifies `.github/workflows/**` files. This move is a direct response to patching a specific vulnerability (CWE-78) and aims to prevent its recurrence, while also remediating eight remaining high-risk `inputs.*` interpolation instances found across three separate workflow files.

The core vulnerability stems from how GitHub Actions processes template expressions. User-controlled values—such as branch names, PR titles, and workflow inputs—were being interpolated directly into `run:` blocks. Because `${{ expr }}` expressions are evaluated server-side before the YAML is passed to the runner shell, this pattern created a critical attack surface. An attacker could inject shell metacharacters into these inputs to execute arbitrary commands within the privileged runner context. A previous patch (PR #351) fixed this pattern in one file by moving four expressions from inline `run:` text to safer step-level `env:` blocks, but the dangerous pattern persisted elsewhere.

This internal enforcement signals a significant shift from reactive patching to proactive, automated security validation at the workflow level. The remediation of the remaining vulnerable expressions across multiple files underscores the pervasive nature of the risk when user input is not properly isolated from command execution. The mandatory integration of `actionlint` and `zizmor` establishes a new security gate, directly addressing a systemic weakness in how GitHub's own automation handles untrusted data, setting a precedent for stricter source control over CI/CD pipelines.