Merge pull request #94 from github/fix/sanitizer_scalar_value

Fix: ControlChecks protects/dominates only work with Steps. A sink can be in a sub-step node (eg: ScalarValue)

Author: Alvaro Muñoz

ql/lib/codeql/actions/Ast.qll

@@ -13,6 +13,8 @@ class AstNode instanceof AstNodeImpl {
 
   string toString() { result = super.toString() }
 
+  Step getEnclosingStep() { result = super.getEnclosingStep() }
+
   Job getEnclosingJob() { result = super.getEnclosingJob() }
 
   Workflow getEnclosingWorkflow() { result = super.getEnclosingWorkflow() }

ql/lib/codeql/actions/ast/internal/Ast.qll

@@ -110,6 +110,18 @@ abstract class AstNodeImpl extends TAstNode {
     result = this.getEnclosingCompositeAction().getACallerJob()
   }
 
+  /**
+   * Gets the enclosing Step.
+   */
+  StepImpl getEnclosingStep() {
+    if this instanceof StepImpl
+    then result = this
+    else
+      if this instanceof ScalarValueImpl
+      then result.getAChildNode*() = this.getParentNode()
+      else none()
+  }
+
   /**
    * Gets the enclosing workflow if any.
    */

ql/lib/codeql/actions/security/ControlChecks.qll

@@ -37,39 +37,39 @@ abstract class ControlCheck extends AstNode {
     this instanceof Run
   }
 
-  predicate protects(Step step, Event event, string category) {
+  predicate protects(AstNode node, Event event, string category) {
     // The check dominates the step it should protect
-    this.dominates(step) and
+    this.dominates(node) and
     // The check is effective against the event and category
     this.protectsCategoryAndEvent(category, event.getName()) and
     // The check can be triggered by the event
     this.getEnclosingJob().getATriggerEvent() = event
   }
 
-  predicate dominates(Step step) {
+  predicate dominates(AstNode node) {
     this instanceof If and
     (
-      step.getIf() = this or
-      step.getEnclosingJob().getIf() = this or
-      step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
-      step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
+      node.getEnclosingStep().getIf() = this or
+      node.getEnclosingJob().getIf() = this or
+      node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
+      node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
     )
     or
     this instanceof Environment and
     (
-      step.getEnclosingJob().getEnvironment() = this
+      node.getEnclosingJob().getEnvironment() = this
       or
-      step.getEnclosingJob().getANeededJob().getEnvironment() = this
+      node.getEnclosingJob().getANeededJob().getEnvironment() = this
     )
     or
     (
       this instanceof Run or
       this instanceof UsesStep
     ) and
     (
-      this.(Step).getAFollowingStep() = step
+      this.(Step).getAFollowingStep() = node.getEnclosingStep()
       or
-      step.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step)
+      node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step)
     )
   }
 

ql/src/Security/CWE-077/EnvVarInjectionCritical.ql

@@ -22,19 +22,20 @@ from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, E
 where
   EnvVarInjectionFlow::flowPath(source, sink) and
   inPrivilegedContext(sink.getNode().asExpr(), event) and
-  not exists(ControlCheck check |
-    check.protects(sink.getNode().asExpr(), event, "envvar-injection")
-  ) and
   // exclude paths to file read sinks from non-artifact sources
   (
+    // source is text
     not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
     not exists(ControlCheck check |
-      check.protects(sink.getNode().asExpr(), event, "code-injection")
+      check.protects(sink.getNode().asExpr(), event, ["envvar-injection", "code-injection"])
     )
     or
+    // source is an artifact or a file from an untrusted checkout
     source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
     not exists(ControlCheck check |
-      check.protects(sink.getNode().asExpr(), event, ["untrusted-checkout", "artifact-poisoning"])
+      check
+          .protects(sink.getNode().asExpr(), event,
+            ["envvar-injection", "untrusted-checkout", "artifact-poisoning"])
     ) and
     (
       sink.getNode() instanceof EnvVarInjectionFromFileReadSink or

ql/src/Security/CWE-078/CommandInjectionCritical.ql

@@ -16,11 +16,15 @@
 import actions
 import codeql.actions.security.CommandInjectionQuery
 import CommandInjectionFlow::PathGraph
+import codeql.actions.security.ControlChecks
 
 from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Event event
 where
   CommandInjectionFlow::flowPath(source, sink) and
-  inPrivilegedContext(sink.getNode().asExpr(), event)
+  inPrivilegedContext(sink.getNode().asExpr(), event) and
+  not exists(ControlCheck check |
+    check.protects(sink.getNode().asExpr(), event, ["command-injection", "code-injection"])
+  )
 select sink.getNode(), source, sink,
   "Potential command injection in $@, which may be controlled by an external user.", sink,
   sink.getNode().asExpr().(Expression).getRawExpression()

ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml

@@ -0,0 +1,81 @@
+name: Write prerelease comment
+
+on:
+  workflow_run:
+    workflows: ["Create Pull Request Prerelease"]
+    types:
+      - completed
+
+jobs:
+  comment:
+    if: ${{ github.repository_owner == 'cloudflare' }}
+    runs-on: ubuntu-latest
+    name: Write comment to the PR
+    steps:
+      - name: "Put PR and workflow ID on the environment"
+        uses: actions/github-script@v7
+        with:
+          script: |
+            // Copied from .github/extract-pr-and-workflow-id.js
+            const allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              run_id: context.payload.workflow_run.id,
+            });
+
+            for (const artifact of allArtifacts.data.artifacts) {
+              // Extract the PR number from the artifact name
+              const match = /^npm-package-(.+)-(\d+)$/.exec(artifact.name);
+              if (match) {
+                const packageName = match[1].toUpperCase();
+                require("fs").appendFileSync(
+                  process.env.GITHUB_ENV,
+                  `\nWORKFLOW_RUN_PR_FOR_${packageName}=${match[2]}` +
+                    `\nWORKFLOW_RUN_ID_FOR_${packageName}=${context.payload.workflow_run.id}`
+                );
+              }
+            }
+
+      - name: "Download runtime versions"
+        # Regular `actions/download-artifact` doesn't support downloading
+        # artifacts from another workflow
+        uses: dawidd6/action-download-artifact@v2
+        with:
+          run_id: ${{ github.event.workflow_run.id }}
+          name: runtime-versions.md
+
+      - name: "Put runtime versions on the environment"
+        id: runtime_versions
+        run: |
+          {
+            echo 'RUNTIME_VERSIONS<<EOF'
+            cat runtime-versions.md
+            echo EOF
+          } >> "$GITHUB_ENV"
+
+      - name: "Download pre-release report"
+        uses: dawidd6/action-download-artifact@v2
+        with:
+          run_id: ${{ github.event.workflow_run.id }}
+          name: prerelease-report.md
+
+      - name: "Put pre-release report on the environment"
+        id: prerelease_report
+        run: |
+          {
+            echo 'PRERELEASE_REPORT<<EOF'
+            cat prerelease-report.md
+            echo EOF
+          } >> "$GITHUB_ENV"
+
+      - name: "Comment on PR with Wrangler link"
+        uses: marocchino/sticky-pull-request-comment@v2
+        with:
+          number: ${{ env.WORKFLOW_RUN_PR_FOR_WRANGLER }}
+          message: |
+            ${{ env.PRERELEASE_REPORT }}
+
+            ---
+
+            ${{ env.RUNTIME_VERSIONS }}
+

ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml

@@ -0,0 +1,80 @@
+name: Write prerelease comment
+
+on:
+  workflow_run:
+    workflows: ["Create Pull Request Prerelease"]
+    types:
+      - completed
+
+jobs:
+  comment:
+    runs-on: ubuntu-latest
+    name: Write comment to the PR
+    steps:
+      - name: "Put PR and workflow ID on the environment"
+        uses: actions/github-script@v7
+        with:
+          script: |
+            // Copied from .github/extract-pr-and-workflow-id.js
+            const allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              run_id: context.payload.workflow_run.id,
+            });
+
+            for (const artifact of allArtifacts.data.artifacts) {
+              // Extract the PR number from the artifact name
+              const match = /^npm-package-(.+)-(\d+)$/.exec(artifact.name);
+              if (match) {
+                const packageName = match[1].toUpperCase();
+                require("fs").appendFileSync(
+                  process.env.GITHUB_ENV,
+                  `\nWORKFLOW_RUN_PR_FOR_${packageName}=${match[2]}` +
+                    `\nWORKFLOW_RUN_ID_FOR_${packageName}=${context.payload.workflow_run.id}`
+                );
+              }
+            }
+
+      - name: "Download runtime versions"
+        # Regular `actions/download-artifact` doesn't support downloading
+        # artifacts from another workflow
+        uses: dawidd6/action-download-artifact@v2
+        with:
+          run_id: ${{ github.event.workflow_run.id }}
+          name: runtime-versions.md
+
+      - name: "Put runtime versions on the environment"
+        id: runtime_versions
+        run: |
+          {
+            echo 'RUNTIME_VERSIONS<<EOF'
+            cat runtime-versions.md
+            echo EOF
+          } >> "$GITHUB_ENV"
+
+      - name: "Download pre-release report"
+        uses: dawidd6/action-download-artifact@v2
+        with:
+          run_id: ${{ github.event.workflow_run.id }}
+          name: prerelease-report.md
+
+      - name: "Put pre-release report on the environment"
+        id: prerelease_report
+        run: |
+          {
+            echo 'PRERELEASE_REPORT<<EOF'
+            cat prerelease-report.md
+            echo EOF
+          } >> "$GITHUB_ENV"
+
+      - name: "Comment on PR with Wrangler link"
+        uses: marocchino/sticky-pull-request-comment@v2
+        with:
+          number: ${{ env.WORKFLOW_RUN_PR_FOR_WRANGLER }}
+          message: |
+            ${{ env.PRERELEASE_REPORT }}
+
+            ---
+
+            ${{ env.RUNTIME_VERSIONS }}
+

ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected

@@ -20,6 +20,14 @@ edges
 | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | provenance |  |
 | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | provenance |  |
 | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | provenance |  |
+| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:49:14:54:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | provenance |  |
+| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:56:9:62:6 | Uses Step | provenance |  |
+| .github/workflows/test11.yml:39:9:47:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | provenance |  |
+| .github/workflows/test11.yml:56:9:62:6 | Uses Step | .github/workflows/test11.yml:64:14:69:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | provenance |  |
+| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | provenance |  |
+| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:55:9:61:6 | Uses Step | provenance |  |
+| .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | provenance |  |
+| .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | provenance |  |
 nodes
 | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n |
@@ -61,6 +69,14 @@ nodes
 | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n |
 | .github/workflows/test10.yml:20:9:26:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | semmle.label | cat foo/.github/java-config.env >> $GITHUB_ENV |
+| .github/workflows/test11.yml:39:9:47:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/test11.yml:49:14:54:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n |
+| .github/workflows/test11.yml:56:9:62:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/test11.yml:64:14:69:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n |
+| .github/workflows/test12.yml:38:9:46:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n |
+| .github/workflows/test12.yml:55:9:61:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n |
 subpaths
 #select
 | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n |
@@ -84,3 +100,6 @@ subpaths
 | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:26:9:32:6 | Uses Step | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:40:14:41:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n |
 | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n |
 | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV |
+| .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n |
+| .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n |
+| .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n |