The Check issue comment workflow uses issue comment body in the github-script actions as follows:
const comment="${{ github.event.comment.body }}"
This provides an opportunity for an attacker to exploit the workflow with an issue comment octocat";console.log('WTF!!!');//. Using this title, the script looks like the following...
const comment="octocat";console.log('WTF!!!');//"
Let's create a new issue comment with this body and see what happens. We observe that the workflow runs the command console.log('WTF!!!');//!