Prevent workflow command injection via commit history log

fahrradflucht · fahrradflucht · commit eeda9c0ffda7 · 2026-03-04T11:57:09.000+01:00
When the action logs commit history to the runner output, any GitHub
Actions workflow commands (e.g. ::set-output::, ::error::, ::warning::)
present in commit messages are interpreted by the runner. This can cause
unexpected side effects or CI failures.

Wrap the history output in a ::stop-commands:: / ::&lt;endtoken&gt;:: pair
so that workflow commands in commit messages are printed literally
instead of being executed.
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -166,7 +166,10 @@ declare -A history_type=(
     ["compare"]="$(git log "${tag_commit}".."${commit}" --format=%B)" \
 )
 log=${history_type[${branch_history}]}
+stop_commands_token=$(cat /proc/sys/kernel/random/uuid)
+echo "::stop-commands::${stop_commands_token}"
 printf "History:\n---\n%s\n---\n" "$log"
+echo "::${stop_commands_token}::"
 
 if [ -z "$tagPrefix" ]
 then
