Harden workflow GitHub context handling

[enyst]

• A human has tested these changes.

---

Why

Fixes #3371. GitHub Actions run blocks should not interpolate attacker-influenced GitHub context, workflow inputs, or derived outputs directly into shell scripts.

Summary

• Moves GitHub context, workflow input, and attacker-influenced step output values from run: interpolation into step env: blocks.
• Updates shell references to use environment variables instead of direct ${{ ... }} expansion.
• Covers workflows including release, examples, integration/condenser comments, server image publishing, TODO management, and version bump automation.

Issue Number

Fixes #3371

How to Test

• python + PyYAML validation over all changed workflow/action YAML files across the audited repositories: validated changed yaml files: 33
• Repository scanner confirmed: remaining suspicious run blocks: 0
• git diff --check across all audited repositories
• uv run pre-commit run --files $(git diff --name-only) in OpenHands/software-agent-sdk (yamlfmt passed; Python hooks skipped because only workflow files changed)

Video/Screenshots

Not applicable; workflow hardening only.

Type

• Bug fix
• Feature
• Refactor
• Breaking change
• Docs / chore

Notes

This PR was created by an AI agent (OpenHands) on behalf of the user.

@enyst can click here to continue refining the PR

---

Agent Server images for this PR

• GHCR package: https://github.com/OpenHands/agent-sdk/pkgs/container/agent-server

Variants & Base Images

Variant	Architectures	Base Image	Docs / Tags
java	amd64, arm64	eclipse-temurin:17-jdk	Link
python	amd64, arm64	nikolaik/python-nodejs:python3.13-nodejs22-slim	Link
golang	amd64, arm64	golang:1.21-bookworm	Link

Pull (multi-arch manifest)

# Each variant is a multi-arch manifest supporting both amd64 and arm64
docker pull ghcr.io/openhands/agent-server:511f918-python

Run

docker run -it --rm \
  -p 8000:8000 \
  --name agent-server-511f918-python \
  ghcr.io/openhands/agent-server:511f918-python

All tags pushed for this build

ghcr.io/openhands/agent-server:511f918-golang-amd64
ghcr.io/openhands/agent-server:511f918a068a5435b3ca99c4c4ca9f514b382154-golang-amd64
ghcr.io/openhands/agent-server:openhands-issue-3371-workflow-env-golang-amd64
ghcr.io/openhands/agent-server:511f918-golang_tag_1.21-bookworm-amd64
ghcr.io/openhands/agent-server:511f918-golang-arm64
ghcr.io/openhands/agent-server:511f918a068a5435b3ca99c4c4ca9f514b382154-golang-arm64
ghcr.io/openhands/agent-server:openhands-issue-3371-workflow-env-golang-arm64
ghcr.io/openhands/agent-server:511f918-golang_tag_1.21-bookworm-arm64
ghcr.io/openhands/agent-server:511f918-java-amd64
ghcr.io/openhands/agent-server:511f918a068a5435b3ca99c4c4ca9f514b382154-java-amd64
ghcr.io/openhands/agent-server:openhands-issue-3371-workflow-env-java-amd64
ghcr.io/openhands/agent-server:511f918-eclipse-temurin_tag_17-jdk-amd64
ghcr.io/openhands/agent-server:511f918-java-arm64
ghcr.io/openhands/agent-server:511f918a068a5435b3ca99c4c4ca9f514b382154-java-arm64
ghcr.io/openhands/agent-server:openhands-issue-3371-workflow-env-java-arm64
ghcr.io/openhands/agent-server:511f918-eclipse-temurin_tag_17-jdk-arm64
ghcr.io/openhands/agent-server:511f918-python-amd64
ghcr.io/openhands/agent-server:511f918a068a5435b3ca99c4c4ca9f514b382154-python-amd64
ghcr.io/openhands/agent-server:openhands-issue-3371-workflow-env-python-amd64
ghcr.io/openhands/agent-server:511f918-nikolaik_s_python-nodejs_tag_python3.13-nodejs22-slim-amd64
ghcr.io/openhands/agent-server:511f918-python-arm64
ghcr.io/openhands/agent-server:511f918a068a5435b3ca99c4c4ca9f514b382154-python-arm64
ghcr.io/openhands/agent-server:openhands-issue-3371-workflow-env-python-arm64
ghcr.io/openhands/agent-server:511f918-nikolaik_s_python-nodejs_tag_python3.13-nodejs22-slim-arm64
ghcr.io/openhands/agent-server:511f918-golang
ghcr.io/openhands/agent-server:511f918a068a5435b3ca99c4c4ca9f514b382154-golang
ghcr.io/openhands/agent-server:openhands-issue-3371-workflow-env-golang
ghcr.io/openhands/agent-server:511f918-golang_tag_1.21-bookworm
ghcr.io/openhands/agent-server:511f918-java
ghcr.io/openhands/agent-server:511f918a068a5435b3ca99c4c4ca9f514b382154-java
ghcr.io/openhands/agent-server:openhands-issue-3371-workflow-env-java
ghcr.io/openhands/agent-server:511f918-eclipse-temurin_tag_17-jdk
ghcr.io/openhands/agent-server:511f918-python
ghcr.io/openhands/agent-server:511f918a068a5435b3ca99c4c4ca9f514b382154-python
ghcr.io/openhands/agent-server:openhands-issue-3371-workflow-env-python
ghcr.io/openhands/agent-server:511f918-nikolaik_s_python-nodejs_tag_python3.13-nodejs22-slim

About Multi-Architecture Support

• Each variant tag (e.g., 511f918-python) is a multi-arch manifest supporting both amd64 and arm64
• Docker automatically pulls the correct architecture for your platform
• Individual architecture tags (e.g., 511f918-python-amd64) are also available if needed

[github-actions]

Python API breakage checks — ✅ PASSED

Result: ✅ PASSED

Action log

[github-actions]

REST API breakage checks (OpenAPI) — ✅ PASSED

Result: ✅ PASSED

Action log

[all-hands-bot]

Good security hardening work. The approach — moving ${{ ... }} GitHub context expressions into env: blocks and referencing them as $VAR_NAME in shell — is the correct fix for script injection vulnerabilities (CWE-78). Coverage is comprehensive across all 12 workflow files.

Two minor points worth addressing before merge (both low-risk, one stylistic and one functional).

---

This review was generated by an AI agent (OpenHands) on behalf of the user through OpenHands Automation.

[all-hands-bot]

🟡 Taste Rating: Acceptable — the hardening direction is good, but two workflow-input paths still need tightening before approval.

Issues found:

• .github/workflows/integration-runner.yml still expands workflow_dispatch model_ids into Python source in the Resolve model configurations heredoc (model_ids = "$MODEL_IDS".split(",")). A quoted heredoc plus os.environ would avoid pre-validation code injection.
• See inline note on version-bump-prs.yml for $GITHUB_OUTPUT injection before validation.

Risk: 🟡 Medium, because these workflows handle attacker-influenced inputs and some downstream jobs use elevated tokens/secrets.

This review was generated by an AI agent (OpenHands) on behalf of the user.

---

Was this automated review useful? React with 👍 or 👎 to this review to help us measure review quality.
Workflow run: https://github.com/OpenHands/software-agent-sdk/actions/runs/26371139976

[all-hands-bot]

🟡 Taste Rating: Acceptable — the hardening direction is right, but a few injection/regression issues still need follow-up.

I left inline comments for the model-resolution regression, unsafe output handling, and JSON payload construction. One additional sweep item: .github/workflows/server.yml still builds build-info/*.json with an unquoted heredoc containing ${{ env.IMAGE }} / step outputs, so workflow-dispatch image or malformed outputs can still be expanded by the shell; please generate that JSON via env + jq -n as well.

[RISK ASSESSMENT]

• [Overall PR] ⚠️ Risk Assessment: 🟡 MEDIUM. These are privileged CI/workflow paths, and the remaining shell/output/JSON handling gaps can break runs or preserve injection surfaces.

VERDICT: ❌ Needs follow-up before approval.

This review was generated by an AI agent (OpenHands) on behalf of the user.

---

Was this automated review useful? React with 👍 or 👎 to this review to help us measure review quality.
Workflow run: https://github.com/OpenHands/software-agent-sdk/actions/runs/26371627904

[all-hands-bot]

🟡 Taste Rating: Acceptable — the direction is right, but a few workflow input/output paths still need tightening.

Risk: 🟡 Medium (privileged CI/release workflows; issues are scoped to workflow hardening). This review was generated by an AI agent (OpenHands) on behalf of the user.

---

Was this automated review useful? React with 👍 or 👎 to this review to help us measure review quality.
Workflow run: https://github.com/OpenHands/software-agent-sdk/actions/runs/26372133139