🌐 Web query:

`For GitHub Actions security hardening:

1. Are expressions like ${{ env.USER }} inside run: interpolated before shell execution?
2. What is GitHub’s documented guidance for handling untrusted input in workflows (especially script injections)?
3. Is jq available by default on ubuntu-slim GitHub-hosted runners?`

💡 Result:

1. Yes. In a run: step, expressions inside ${{ ... }} (including ${{ env.USER }}) are evaluated and substituted before the temporary shell script is executed, which is why this pattern can enable shell injection if the value is attacker-controlled. [1]

2. GitHub’s guidance for untrusted input / script injection (documented):

   • Treat GitHub context fields that can be influenced by users (for example issue/PR title, body, branch names, etc.) as potentially untrusted and prevent them from flowing into places where they may be interpreted as code. [1]
   • Avoid embedding untrusted values directly via ${{ ... }} inside run: scripts. Prefer assigning the expression to an intermediate environment variable and then referencing it using the shell’s native variable syntax (for example "$TITLE" in bash). [2][3]

3. Yes. jq is included by default on the GitHub-hosted runner label ubuntu-slim (the image’s installed software list includes jq, and it’s also present as an installed apt package). [4]

Sources
[1] GitHub Docs — “Script injections”
[2] GitHub Security Lab — “Keeping your GitHub Actions and workflows secure Part 2: Untrusted input”
[3] CodeQL query help — “Code injection” (GitHub Actions)
[4] actions/runner-images — ubuntu-slim-Readme.md (installed software list)

-      - run: |
-          curl -H "Authorization: token ${{ github.token }}" -d '{"assignees": ["${{ env.USER }}"]}' https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/assignees
+      - run: |
+          payload="$(jq -cn --arg user "$USER" '{assignees: [$user]}')"
+          curl -fsS \
+            -H "Authorization: token ${{ github.token }}" \
+            -H "Content-Type: application/json" \
+            -d "$payload" \
+            "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/assignees"
         env:
           USER:  ${{ github.event.comment.user.login }}

This uses shell variable substitution ($USER) instead of GitHub expression interpolation, and jq encodes the JSON safely. jq is available by default on ubuntu-slim runners.

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.