Google's Project Zero in July found a security flaw in Microsoft's GitHub. The bug relates to GitHub Actions' workflow commands and is described as being high severity.
As the runner process parses every line printed to STDOUT looking for workflow commands, every GitHub action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed,"
GitHub failed to fix the bug as per the standard 90-day disclosure period thus being made public. Since 2014 GPZ publishes a vulnerability in a certain vendor's software or Hardware, they always notice the owners before making it public.
However, GitHub in their defence on 1st October made a press release on their blog.
"A moderate security vulnerability has been identified in the GitHub Actions runner that can allow environment variable and path injection in workflows that log untrusted data to STDOUT. This can result in environment variables being introduced or modified without the intention of the workflow author."
see more here Github Blog