@@ -59,6 +59,31 @@ For example, `github.issues.createComment` in V4 becomes `github.rest.issues.cre
5959
6060See [ development.md] ( /docs/development.md ) .
6161
62+ ## Passing inputs to the script
63+
64+ Actions expressions are evaluated before the ` script ` is passed to the action, so the result of any expressions
65+ * will be evaluated as JavaScript code* .
66+
67+ It's highly recommended to * not* evaluate expressions directly in the ` script ` to avoid
68+ [ script injections] ( https://docs.github.com/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections )
69+ and potential ` SyntaxError ` s when the expression is not valid JavaScript code (particlarly when it comes to inproperly escaped strings).
70+
71+ To pass inputs, set ` env ` vars on the action step and reference then them in your script with ` process.env ` :
72+
73+ ``` yaml
74+ - uses : actions/github-script@v7
75+ env :
76+ TITLE : ${{ github.event.pull_request.title }}
77+ with :
78+ script : |
79+ const title = process.env.TITLE;
80+ if (title.startsWith('octocat')) {
81+ console.log("PR title starts with 'octocat'");
82+ } else {
83+ console.error("PR title did not start with 'octocat'");
84+ }
85+ ` ` `
86+
6287## Reading step results
6388
6489The return value of the script will be in the step's outputs under the
@@ -444,27 +469,6 @@ export default async ({ core, context }) => {
444469};
445470` ` `
446471
447- # ## Use env as input
448-
449- You can set env vars to use them in your script :
450-
451- ` ` ` yaml
452- on: push
453-
454- jobs:
455- echo-input:
456- runs-on: ubuntu-latest
457- steps:
458- - uses: actions/github-script@v7
459- env:
460- FIRST_NAME: Mona
461- LAST_NAME: Octocat
462- with:
463- script: |
464- const { FIRST_NAME, LAST_NAME } = process.env
465-
466- console.log(` Hello ${FIRST_NAME} ${LAST_NAME}`)
467- ```
468472
469473# ## Using a separate GitHub token
470474
0 commit comments