GitHub Actions' `shell` Keyword: Unexpected Flexibility and Security Implications
2025-04-08
The `shell` keyword in GitHub Actions lets you specify the shell for a given run block. However, this is far more flexible than the documentation suggests. It supports not only predefined shells like bash and pwsh, but any executable on the system's `$PATH`. This means you can run C code using a C compiler, or even dynamically modify `$GITHUB_PATH` to change the shell's behavior. While this offers flexibility, it also introduces security risks, as file writes can imply execution. This contrasts with GitHub's unexpected practice of performing `$PATH` lookups even for their "well-known" shell values.
Read more
Development