From f9d8109d52b3a4f751e2057c91342ca116253a53 Mon Sep 17 00:00:00 2001 From: Josh Gross Date: Tue, 13 May 2025 10:53:59 -0400 Subject: [PATCH 1/3] Clearly document passing inputs to the `script` --- README.md | 46 +++++++++++++++++++++++++--------------------- 1 file changed, 25 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 98cf4486f..5f8b8f597 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,31 @@ For example, `github.issues.createComment` in V4 becomes `github.rest.issues.cre See [development.md](/docs/development.md). +## Passing inputs to the script + +Actions expressions are evaluated before the `script` is passed to the action, so the result of any expressions +*will be evaluated as JavaScript code*. + +It's highly recommended to *not* evaluate expressions directly in the `script` to avoid +[script injections](https://docs.github.com/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections) +and potential `SyntaxError`s when the expression is not valid JavaScript code (particlarly when it comes to inproperly escaped strings). + +To pass inputs, set `env` vars on the action step and reference then them in your script with `process.env`: + +```yaml +- uses: actions/github-script@v7 + env: + TITLE: ${{ github.event.pull_request.title }} + with: + script: | + const title = process.env.TITLE; + if (title.startsWith('octocat')) { + console.log("PR title starts with 'octocat'"); + } else { + console.error("PR title did not start with 'octocat'"); + } +``` + ## Reading step results The return value of the script will be in the step's outputs under the @@ -444,27 +469,6 @@ export default async ({ core, context }) => { }; ``` -### Use env as input - -You can set env vars to use them in your script: - -```yaml -on: push - -jobs: - echo-input: - runs-on: ubuntu-latest - steps: - - uses: actions/github-script@v7 - env: - FIRST_NAME: Mona - LAST_NAME: Octocat - with: - script: | - const { FIRST_NAME, LAST_NAME } = process.env - - console.log(`Hello ${FIRST_NAME} ${LAST_NAME}`) -``` ### Using a separate GitHub token From 3424b52d08b4c47dbb213775f1ab9d14c7d3fb0e Mon Sep 17 00:00:00 2001 From: Josh Gross Date: Tue, 13 May 2025 11:04:53 -0400 Subject: [PATCH 2/3] typo fixes --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5f8b8f597..466ed463d 100644 --- a/README.md +++ b/README.md @@ -66,9 +66,9 @@ Actions expressions are evaluated before the `script` is passed to the action, s It's highly recommended to *not* evaluate expressions directly in the `script` to avoid [script injections](https://docs.github.com/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections) -and potential `SyntaxError`s when the expression is not valid JavaScript code (particlarly when it comes to inproperly escaped strings). +and potential `SyntaxError`s when the expression is not valid JavaScript code (particularly when it comes to improperly escaped strings). -To pass inputs, set `env` vars on the action step and reference then them in your script with `process.env`: +To pass inputs, set `env` vars on the action step and reference them in your script with `process.env`: ```yaml - uses: actions/github-script@v7 From 1ae9958572fde544457e4d51aed5ea044e8936f3 Mon Sep 17 00:00:00 2001 From: Ben De St Paer-Gotch Date: Mon, 2 Jun 2025 10:34:00 +0100 Subject: [PATCH 3/3] Update README.md --- README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/README.md b/README.md index 466ed463d..6fe8ae7e6 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,26 @@ This action makes it easy to quickly write a script in your workflow that uses the GitHub API and the workflow run context. +### Note + +Thank you for your interest in this GitHub action, however, right now we are not taking contributions. + +We continue to focus our resources on strategic areas that help our customers be successful while making developers' lives easier. While GitHub Actions remains a key part of this vision, we are allocating resources towards other areas of Actions and are not taking contributions to this repository at this time. The GitHub public roadmap is the best place to follow along for any updates on features we’re working on and what stage they’re in. + +We are taking the following steps to better direct requests related to GitHub Actions, including: + +1. We will be directing questions and support requests to our [Community Discussions area](https://github.com/orgs/community/discussions/categories/actions) + +2. High Priority bugs can be reported through Community Discussions or you can report these to our support team https://support.github.com/contact/bug-report. + +3. Security Issues should be handled as per our [security.md](security.md) + +We will still provide security updates for this project and fix major breaking changes during this time. + +You are welcome to still raise bugs in this repo. + +### This action + To use this action, provide an input named `script` that contains the body of an asynchronous JavaScript function call. The following arguments will be provided: