Semgrep Assistant suggests the following fix: Use an environment variable to safely pass `github` context data to the `run` command.
<details><summary><b>View step-by-step instructions</b></summar...
## [Semgrep Code] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): 'run-shell-injection'
Using variable interpolation `${{...}}` with `github` context da...
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code...
If this has to be processed differently we could also reutrn a parsing error to be handled by the calling function, not sure returning an inboundMemo as a pointer makes the API simpler