What is the purpose of `actions/github-script` and what are its security considerations?

Question

Github — Hard

What is the purpose of `actions/github-script` and what are its security considerations?

Accepted Answer

The `actions/github-script` action enables direct JavaScript execution in workflow YAML, leveraging an authenticated Octokit client. This allows for dynamic interaction with the GitHub API. However, security concerns arise when user-controlled input is directly interpolated into the script. Passing input as environment variables mitigates script injection risks.