security: fix command injection vulnerabilities in GitHub Actions workflows

- Move user-controlled inputs to env variables instead of direct interpolation
- Fixes SonarCloud rule S7630 (BLOCKER severity)
- Affects docs-stage-5-publish.yaml (14 issues) and docs-cicd-3-deploy.yaml (1 issue)
- Prevents potential command injection attacks via workflow inputs
- All ${{ inputs.* }} references now passed through environment variables

Author: RossBugginsNHS

.github/workflows/docs-cicd-3-deploy.yaml

@@ -92,15 +92,14 @@ jobs:
         shell: bash
         env:
           GH_TOKEN: ${{ github.token }}
+          INPUTS_VERSION: ${{ inputs.version }}
+          INPUTS_INCLUDE_PRERELEASES: ${{ inputs.include_prereleases }}
         run: |
-          INPUTS_INCLUDE_PRERELEASES="${{ inputs.include_prereleases }}"
-          INPUTS_INCLUDE_PRERELEASES=${INPUTS_INCLUDE_PRERELEASES:-"true"}
+          INCLUDE_PRERELEASES=${INPUTS_INCLUDE_PRERELEASES:-"true"}
+          VERSION=${INPUTS_VERSION:-"latest"}
 
-          INPUTS_VERSION="${{ inputs.version }}"
-          INPUTS_VERSION=${INPUTS_VERSION:-"latest"}
 
-
-          if [[ $INPUTS_INCLUDE_PRERELEASES == true ]]; then
+          if [[ $INCLUDE_PRERELEASES == true ]]; then
             json=$(gh release list --json tagName --limit 1 --exclude-drafts)
           else
             json=$(gh release list --json tagName --limit 1 --exclude-drafts --exclude-pre-releases)

.github/workflows/docs-stage-5-publish.yaml

@@ -62,38 +62,47 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
           GH_REPO: ${{ github.repository }}
+          VERSION: ${{ inputs.version }}
+          IS_PRERELEASE: ${{ inputs.is_version_prerelease }}
         run: |
+          PRERELEASE_FLAG=""
+          if [ "$IS_PRERELEASE" = "true" ]; then
+            PRERELEASE_FLAG="--prerelease"
+          fi
           gh release create \
-          "${{ inputs.version }}" \
+          "$VERSION" \
           --draft \
           --latest \
-          --title "${{ inputs.version }}" \
-          --notes "Release of ${{ inputs.version }}" \
-          ${{ inputs.is_version_prerelease == 'true' && '--prerelease' || '' }}
+          --title "$VERSION" \
+          --notes "Release of $VERSION" \
+          $PRERELEASE_FLAG
 
       - name: "Upload jeykll docs release asset"
         env:
           GH_TOKEN: ${{ github.token }}
           GH_REPO: ${{ github.repository }}
+          VERSION: ${{ inputs.version }}
         run: |
-          cp ./artifacts/jekyll-docs-${{ inputs.version }}/artifact.tar $RUNNER_TEMP/jekyll-docs-${{ inputs.version }}.tar
+          cp ./artifacts/jekyll-docs-$VERSION/artifact.tar $RUNNER_TEMP/jekyll-docs-$VERSION.tar
           gh release upload \
-          "${{ inputs.version }}" \
-          $RUNNER_TEMP/jekyll-docs-${{ inputs.version }}.tar#jekyll-docs-${{ inputs.version }}
+          "$VERSION" \
+          $RUNNER_TEMP/jekyll-docs-$VERSION.tar#jekyll-docs-$VERSION
 
       - name: "Upload schema release asset"
         env:
           GH_TOKEN: ${{ github.token }}
           GH_REPO: ${{ github.repository }}
+          VERSION: ${{ inputs.version }}
         run: |
-          cp ./artifacts/schemas-${{ inputs.version }}/artifact.tar $RUNNER_TEMP/schemas-${{ inputs.version }}.tar
+          cp ./artifacts/schemas-$VERSION/artifact.tar $RUNNER_TEMP/schemas-$VERSION.tar
           gh release upload \
-          "${{ inputs.version }}" \
-          $RUNNER_TEMP/schemas-${{ inputs.version }}.tar#schemas-${{ inputs.version }}
+          "$VERSION" \
+          $RUNNER_TEMP/schemas-$VERSION.tar#schemas-$VERSION
 
 
       - name: Publish Release
         env:
           GH_TOKEN: ${{ github.token }}
           GH_REPO: ${{ github.repository }}
-        run: gh release edit "${{ inputs.version }}" --draft=false
+          VERSION: ${{ inputs.version }}
+        run: gh release edit "$VERSION" --draft=false

docs/_layouts/event.html

@@ -53,9 +53,9 @@ <h2>Consumed by</h2>
 </ul>
 
 <h2>Envelope Schema</h2>
-<iframe title="Envelope Schema {{page.title}}" src="{{ page.schema_envelope }}" width="100%" height="600px"></iframe>
+<iframe title="Envelope Schema {{page.title}}" src="{{ page.schema_envelope | replace: 'https://notify.nhs.uk/cloudevents', '' | replace: '.schema.json', '.bundle.schema.json' }}" width="100%" height="600px"></iframe>
 
 <h2>Data Schema</h2>
-<iframe title="Data Schema {{page.title}}" src="{{ page.schema_data }}" width="100%" height="600px"></iframe>
+<iframe title="Data Schema {{page.title}}" src="{{ page.schema_data | replace: 'https://notify.nhs.uk/cloudevents', '' }}" width="100%" height="600px"></iframe>
 
 {{ content }}