feat: central input validation script to detect hidden Unicode and prompt injection in workflows

[Copilot]

Workflows triggered by untrusted user input (issue/PR bodies) are vulnerable to hidden-character prompt injection — attackers embed invisible Unicode or HTML comments to covertly manipulate LLMs processing that content.

Changes

.github/workflows/validate-input.sh (new)

Central bash/Python script that fails the job and posts a warning comment (with a run link) on the issue/PR if any of the following are detected:

Threat	Code points
Bidirectional overrides (Trojan Source / CVE-2021-42574)	U+202A–202E, U+2066–2069
Zero-width / invisible characters	U+200B, U+200C, U+200D, U+2060, U+FEFF, U+00AD
Unicode tag characters	U+E0000–E007F
Variation selectors (steganographic)	U+FE00–FE0F, U+E0100–E01EF
HTML comments <!-- ... -->	stripped by GitHub renderer, visible to LLMs
Non-printable control characters	excludes HT/LF/CR

Consume it as a pre-processing step by setting four env vars:

- name: Validate issue body for hidden content
  env:
    GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    INPUT_TEXT: ${{ github.event.issue.body }}
    ITEM_NUMBER: ${{ github.event.issue.number }}
    REPO: ${{ github.repository }}
    RUN_ID: ${{ github.run_id }}
    SERVER_URL: ${{ github.server_url }}
    CONTEXT_TYPE: issue          # or "pr"
    FINDINGS_FILE: /tmp/validation-findings.txt
  run: bash .github/workflows/validate-input.sh

.github/workflows/check-toolnames.yml (updated)

Adds the validation step before the issue body is processed by the tool-name extraction logic — the highest-risk workflow for untrusted text input.

.github/instructions/workflows.instructions.md (new)

Copilot custom instructions file (applyTo: ".github/workflows/**") documenting when to apply the validation step, ready-to-paste YAML for both issue and PR contexts, and how to extend the script with new threat categories.

Original prompt

There are more and more attacks happening against the GitHub actions platform. A new one is hidden Unicode characters in user input, through for example issues/pr's and their comments, or even branch names.

I want to create a script that we can run inside a job in a workflow, that will validate the untrusted user input to make sure that they did not inject something nasty that an LLM could pick up. That can even be hidden text in the form of html code/commented text in those input fields.

Write a central script for this in the workflow folder, and use that as a first step in the jobs that we trigger with untrusted user input. The script needs to fail the job if it finds something odd, and add the finding to the issue/PR with a comment. The comment needs to include a link to the workflow run that detected it.

Document this way of working in a custom instructions file that is applied to files in the workflows folder.

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.