Potential fix for code scanning alert no. 1: Code injection

[ajay-dhangar]

Potential fix for https://github.com/codeharborhub/dsa/security/code-scanning/1

To fix this code injection risk, the issue body must not be injected into the shell script using the ${{ ... }} expression syntax inside the run: block. Instead, assign the untrusted input to an environment variable using GitHub Actions env: at the step level, and then read it using standard shell variable expansion ("$ISSUE_BODY"). This way, the expression is evaluated by the Actions runner before the shell starts, and the shell sees only the resolved value via its own variable mechanism, which prevents expression-level injection.

Concretely, in the Validate Issue Content step (lines 34–41), add an env: section that sets ISSUE_BODY: ${{ github.event.issue.body }} and modify the run: script to use issue_body="$ISSUE_BODY" or just reference $ISSUE_BODY directly instead of ${{ github.event.issue.body }}. The string checks remain the same. Similarly, in the Check for Security and Trust step (lines 43–49), introduce an env: section with ISSUE_BODY: ${{ github.event.issue.body }} and use issue_body="$ISSUE_BODY" in the script. No changes are required to other steps because the reported injection is specifically on line 37; we will keep the rest of the functionality intact.

These changes all occur within .github/workflows/issue_creation_workflow.yml under the two affected steps. No additional methods or external libraries are necessary; we only adjust YAML structure and shell variable usage.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[github-actions]

Great job, @ajay-dhangar! 🎉 Thank you for submitting your pull request to CodeHarborHub. We appreciate your contribution and enthusiasm! Our team will review it soon. If you have any questions or need further assistance, feel free to reach out. Thanks for contributing!