From b6c9b4bef5c235a6ec9dbe9f2c68898bf277ddff Mon Sep 17 00:00:00 2001
From: Chelsea Boling <cmboling@github.com>
Date: Fri, 4 Mar 2022 00:29:39 -0800
Subject: [PATCH] Update README.md

---
 README.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/README.md b/README.md
index c01c08c..8c4e7cc 100644
--- a/README.md
+++ b/README.md
@@ -86,6 +86,26 @@ with:
   issue_reopen_state: 'red-team-followup'
 ```
 
+##### Keeping your input values secure 💯
+
+Avoid code/command injections by setting your inputs to intermediate environment variables. For example:
+
+```yaml
+env:
+  GITHUB_TOKEN: '${{ secrets.DEMO_SECRET }}'
+  JIRA_URL: '${{ secrets.JIRA_URL }}'
+  JIRA_USER: '${{ secrets.JIRA_USER }}'
+  JIRA_TOKEN: '${{ secrets.JIRA_TOKEN }}'
+  JIRA_PROJECT: '${{ secrets.JIRA_PROJECT }}'
+  JIRA_LABELS: 'red, blue'
+with:
+  github_token: '$GITHUB_TOKEN'
+  jira_url: '$JIRA_URL'
+  jira_user: '$JIRA_USER'
+  jira_token: '$JIRA_TOKEN'
+  jira_project: '$JIRA_PROJECT'
+  jira_labels: '$JIRA_LABELS'
+```
 
 ## Using the CLI's `sync` command