From 681e48ddcd0a0f6653ed7eaf08d7f283163c0a6f Mon Sep 17 00:00:00 2001
From: Yalguun Tumenkhuu <fantasmdota@gmail.com>
Date: Tue, 23 Jun 2026 11:57:26 +0800
Subject: [PATCH] fix: randomize GITHUB_OUTPUT heredoc delimiters to prevent
 output injection

---
 action.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/action.yml b/action.yml
index 35af14fe7..f0f3a707e 100644
--- a/action.yml
+++ b/action.yml
@@ -350,22 +350,24 @@ runs:
 
 
         # Set the captured response as a step output, supporting multiline
-        echo "gemini_response<<EOF" >> "${GITHUB_OUTPUT}"
+        DELIM_GEMINI_RESPONSE="ghadelim_$(openssl rand -hex 16)"
+        echo "gemini_response<<${DELIM_GEMINI_RESPONSE}" >> "${GITHUB_OUTPUT}"
         if [[ -n "${RESPONSE}" ]]; then
           echo "${RESPONSE}" >> "${GITHUB_OUTPUT}"
         else
           cat "${TEMP_STDOUT}" >> "${GITHUB_OUTPUT}"
         fi
-        echo "EOF" >> "${GITHUB_OUTPUT}"
+        echo "${DELIM_GEMINI_RESPONSE}" >> "${GITHUB_OUTPUT}"
 
         # Set the captured errors as a step output, supporting multiline
-        echo "gemini_errors<<EOF" >> "${GITHUB_OUTPUT}"
+        DELIM_GEMINI_ERRORS="ghadelim_$(openssl rand -hex 16)"
+        echo "gemini_errors<<${DELIM_GEMINI_ERRORS}" >> "${GITHUB_OUTPUT}"
         if [[ -n "${ERROR_JSON}" ]]; then
           echo "${ERROR_JSON}" >> "${GITHUB_OUTPUT}"
         else
           cat "${TEMP_STDERR}" >> "${GITHUB_OUTPUT}"
         fi
-        echo "EOF" >> "${GITHUB_OUTPUT}"
+        echo "${DELIM_GEMINI_ERRORS}" >> "${GITHUB_OUTPUT}"
 
         # Generate Job Summary
         if [[ -n "${GITHUB_STEP_SUMMARY:-}" ]]; then