The vulnerability has nothing to do with bash. It’s a template injection in GitHub Actions, which bypasses the interpolation of any shell or interpreter.