From 67917a152e3fe637bfb6f91582167a4dc85c6e0a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 3 Nov 2025 17:07:15 +0000
Subject: [PATCH 1/2] Initial plan


From 159a83100b3d731e72078c52188c2b54501cb09b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 3 Nov 2025 17:12:34 +0000
Subject: [PATCH 2/2] Delete vulnerable create-branch.yml workflow

Removed .github/workflows/create-branch.yml to fix critical code injection vulnerability (CVE-severity). The workflow had two injection points where github.event.inputs.name was used directly in bash scripts without sanitization, allowing potential arbitrary code execution.

Per maintainer request, deleting the workflow is the most secure solution.

Fixes githubnext/gh-aw#3058

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .github/workflows/create-branch.yml | 56 -----------------------------
 1 file changed, 56 deletions(-)
 delete mode 100644 .github/workflows/create-branch.yml

diff --git a/.github/workflows/create-branch.yml b/.github/workflows/create-branch.yml
deleted file mode 100644
index 41a6b49ede2..00000000000
--- a/.github/workflows/create-branch.yml
+++ /dev/null
@@ -1,56 +0,0 @@
-name: Create Branch
-
-on:
-  workflow_dispatch:
-    inputs:
-      name:
-        description: 'Name of the branch to create'
-        required: true
-        type: string
-
-permissions:
-  contents: write
-
-jobs:
-  create-branch:
-    name: Create and Push Branch
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-
-      - name: Configure Git
-        run: |
-          git config --global user.name "github-actions[bot]"
-          git config --global user.email "github-actions[bot]@users.noreply.github.com"
-
-      - name: Create and push branch
-        run: |
-          BRANCH_NAME="${{ github.event.inputs.name }}"
-          
-          echo "Creating branch: $BRANCH_NAME"
-          
-          # Check if branch already exists remotely
-          if git ls-remote --heads origin "$BRANCH_NAME" | grep -q "$BRANCH_NAME"; then
-            echo "Error: Branch '$BRANCH_NAME' already exists remotely"
-            exit 1
-          fi
-          
-          # Create and checkout new branch
-          git checkout -b "$BRANCH_NAME"
-          
-          # Push the new branch to remote
-          git push origin "$BRANCH_NAME"
-          
-          echo "Successfully created and pushed branch: $BRANCH_NAME"
-
-      - name: Summary
-        run: |
-          BRANCH_NAME="${{ github.event.inputs.name }}"
-          {
-            echo "## Branch Created Successfully"
-            echo "- **Branch Name**: \`$BRANCH_NAME\`"
-            echo "- **URL**: [View Branch](${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/tree/$BRANCH_NAME)"
-          } >> "$GITHUB_STEP_SUMMARY"
\ No newline at end of file