GitHub Workflow Expressions (${{ ... }}) used in the if condition of jobs or steps must not contain extra characters or spaces. Otherwise, the condition is invariably evaluated to true.
When an if condition erroneously evaluates to true, unintended steps may be executed, leading to logic bugs and potentially exposing parts of the workflow designed to run only in secure scenarios. This behavior subverts the intended conditional logic of the workflow, leading to potential security vulnerabilities and unintentional consequences.
To avoid the vulnerability where an if condition always evaluates to true, it is crucial to eliminate any extra characters or spaces in your GitHub Actions expressions:
- Do not use
${{and}}for Workflow Expressions inifconditions. - Avoid multiline or spaced-out conditional expressions that might inadvertently introduce unwanted characters or formatting.
- Test the workflow to ensure the
ifconditions behave as expected under different scenarios.
-
Omit
${{and}}inifconditions:if: steps.checks.outputs.safe_to_run == true if: |- steps.checks.outputs.safe_to_run == true if: | steps.checks.outputs.safe_to_run == true
-
If using
${{and}}Workflow Expressions, ensure theifcondition is formatted correctly without extra spaces or characters:if: ${{ steps.checks.outputs.safe_to_run == true }} if: |- ${{ steps.checks.outputs.safe_to_run == true }}
-
Do not mix Workflow Expressions with un-delimited expressions:
if: ${{ steps.checks.outputs.safe_to_run }} == true
-
Do not include trailing new lines or spaces:
if: | ${{ steps.checks.outputs.safe_to_run == true }} if: > ${{ steps.checks.outputs.safe_to_run == true }} if: " ${{ steps.checks.outputs.safe_to_run == true }}" if: |+ ${{ steps.checks.outputs.safe_to_run == true }} if: >+ ${{ steps.checks.outputs.safe_to_run == true }}
- GitHub actions/runner Issues: Expression Always True.