From bd4f617b36a7d6ceafa0210d685d5a88b687d584 Mon Sep 17 00:00:00 2001
From: Ryan Whitworth <rwhitworth@a16z.com>
Date: Mon, 23 Feb 2026 13:02:21 -0500
Subject: [PATCH] ci: fix script injection in outcome job (CWE-78)

Move toJson(needs) from inline run: expression to env: variable
to prevent shell metacharacter injection via crafted job outputs.

Wiz Issue: 16f1da6f-ae19-4da7-9122-1f3e33ba5e10
---
 .github/workflows/ci.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8032154a736..c2fcd4b50ae 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -229,7 +229,9 @@ jobs:
       # If all dependent jobs were successful, this exits with 0 (and the outcome job continues successfully).
       # If a some dependent job has failed, this exits with 1.
       - name: calculate the correct exit status
-        run: jq --exit-status 'all(.result == "success" or .result == "skipped")' <<< '${{ toJson(needs) }}'
+        env:
+          NEEDS_CONTEXT: ${{ toJson(needs) }}
+        run: jq --exit-status 'all(.result == "success" or .result == "skipped")' <<< "$NEEDS_CONTEXT"
       # Publish the toolstate if an auto build succeeds (just before push to master)
       - name: publish toolstate
         run: src/ci/publish_toolstate.sh