GitHub Action Vulnerability Allows Sensitive File Exfiltration via Symlink in Pull Request Workflows

A security vulnerability in a code review GitHub Action's `prepare` workflow allows malicious pull requests to read and exfiltrate sensitive system files from the runner environment. The flaw, located in the `src/prepare/main.ts` module, stems from the action accepting a `review-reference-file` input and reading the specified path without validating whether it resolves to a symlink. On `pull_request` runs, the workspace is checked out at `github.event.pull_request.head.sha`, meaning any file under the workspace is controlled by the pull request author. This creates a direct path for attackers to weaponize symlink references against the build environment.

The vulnerability presents two distinct attack vectors. First, a pull request can replace the reference markdown file with a symlink pointing to sensitive paths such as `/proc/self/environ`, `.git/config`, or other runner-readable locations. When the action processes this, file contents are written into `.codex/chunk-N-prompt.md` artifacts and uploaded as `codex-prepare`, then sent to OpenAI by the review workflow. Second, the same file-write mechanism allows review-policy injection: an attacker can rewrite the markdown to include instructions that suppress findings or downplay risky changes, effectively steering the model away from legitimate security concerns in the codebase under review.

The issue has been flagged as the sole code-level vulnerability in the current queue, signaling priority status for remediation. Developers maintaining similar GitHub Actions that accept file paths from user-controlled inputs face comparable risks if symlink resolution is not explicitly checked before filesystem operations. The affected code path uses `fs.existsSync()` followed by `fs.readFileSync()` without sanitization, a pattern that security reviewers flag as a known source of path traversal exposure in automated CI/CD tooling.