Report security issues privately to the Wildmason maintainers.
Do not open a public issue for vulnerabilities involving unsafe path handling, unexpected file hashing, receipt leakage, or expression evaluation bypasses.
`gha-expression-proof` treats expressions and context JSON as untrusted input. It does not execute shell commands, call GitHub APIs, or read files except through explicit `hashFiles()` workspace patterns.