Fix command injection vulnerability where github.event.workflow_run.head_branch
was directly interpolated into shell commands. Branch names containing shell
metacharacters could execute arbitrary commands.
Changes:
- Pass head_branch through environment variables instead of direct interpolation
- Affects gh pr list --head and gh workflow run --ref commands
- Prevents execution of malicious code in branch names
Severity: HIGH
Category: command_injection
* feat: add structured output support
Add support for Agent SDK structured outputs.
New input: json_schema
Output: structured_output (JSON string)
Access: fromJSON(steps.id.outputs.structured_output).field
Docs: https://docs.claude.com/en/docs/agent-sdk/structured-outputs
* rm unused
* refactor: simplify structured outputs to use claude_args
Remove json_schema input in favor of passing --json-schema flag directly
in claude_args. This simplifies the interface by treating structured outputs
like other CLI flags (--model, --max-turns, etc.) instead of as a special
input that gets injected.
Users now specify: claude_args: '--json-schema {...}'
Instead of separate: json_schema: {...}
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* chore: remove unused json-schema util and revert version
- Remove src/utils/json-schema.ts (no longer used after refactor)
- Revert Claude Code version from 2.0.45 back to 2.0.42
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
