How to pass parameters to the script?

@mdvorak The security depends partially on the provenance of the data. If the step output is created in a way the workflow implementer can trust, the solution I posted earlier is generally safe. If the output comes from untrusted data, then it’s not.

As far as I can tell, @acidos was not specifically asking how to safely and securely include literally any type of step output, trusted or untrusted.

In the future, we could potentially attach step outputs to the toolkit context, but it’s currently not possible. Such a feature would provide the prior steps’ output in a JavaScript string that could be used at runtime, rather than interpolated via context expression syntax.

Another, somewhat safer way of doing this would be to set the prior steps’ output as an environment variable in subsequent steps, although this is not specific to this action, it’s just something that can be done with the tools that Actions provides:

- uses: actions/github-script@v1
  env:
    DATA: ${{ steps.step-id.outputs.output-name }}
  with:
    script: |
      console.log(process.env.DATA)

See the context and expression syntax documentation for more examples.

The easiest way to do this is via Actions’ expression evaluation syntax (${{ }}). Assuming you want to use the output from a previous step in your github-script action, you could do something like this:

- uses: actions/github-script@v1
  with:
    script: |
      console.log('${{ steps.step-id.outputs.output-name }}')

Note that the expression evaluation happens before the action runs, so the raw value will be inserted into the script string (hence the need for quotes).

This assumes that you have a previous step whose ID is “step-id” and that whose outputs include a value called “output-name”. See “About contexts and expressions” and “steps context”.

If this doesn’t answer your question, please reply with an example so I can get a clearer idea of what you mean 😄 Thank you!