[plan] Fix template injection vulnerabilities using in-place string substitution

[github-actions]

Overview

This tracking issue covers fixing template injection vulnerabilities identified in the static analysis report by implementing Option 1: Avoid envsubst Entirely (Recommended) using an in-place template rewrite strategy.

Source: Discussion #5735

Background

The static analysis identified 12 template injection vulnerabilities across 8 workflows where envsubst is used on potentially untrusted data from GitHub Actions expressions like ${{ needs.*.outputs.* }}.

Solution Approach

Replace envsubst with a safer in-place template substitution method that:

• Writes the template content to the target file first with placeholder tokens (e.g., __VAR_NAME__)
• Uses sed or Python to perform safe string replacement without shell expansion
• Writes the result back to the same file (no .template files)
• Prevents code injection by treating all content as literal strings

Affected Workflows

1. breaking-change-checker.md - 1 instance
2. changeset.md - 1 instance
3. cloclo.md - 1 instance ⚠️ HIGH severity
4. copilot-pr-merged-report.md - 2 instances
5. daily-performance-summary.md - 2 instances
6. dev.md - 2 instances
7. duplicate-code-detector.md - 1 instance
8. test-python-safe-input.md - 2 instances

Planned Tasks

1. Fix template injection in cloclo.md (highest priority)
2. Fix template injection in single-instance workflows
3. Fix template injection in multi-instance workflows
4. Validate fixes and test with malicious input
5. Update documentation and prevention guidelines

Success Criteria

• All 8 workflows updated to use safe substitution
• No .template files created
• Workflows pass static analysis (zizmor scan)
• Test cases validate protection against injection
• Documentation updated with secure patterns

AI generated by Plan Command for discussion #5735