fix: code injection via template expansion

https://docs.zizmor.sh/audits/#template-injection

Author: MaxymVlasov

.github/workflows/build-image.yaml

@@ -33,10 +33,13 @@ jobs:
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
     - name: Set tag for image
+      env:
+        REF_TYPE: ${{ github.ref_type }}
+        REF_NAME: ${{ github.ref_name }}
       run: >-
         echo IMAGE_TAG=$(
-        [ ${{ github.ref_type }} == 'tag' ]
-        && echo ${{ github.ref_name }}
+        [ $REF_TYPE == 'tag' ]
+        && echo $REF_NAME
         || echo 'latest'
         ) >> $GITHUB_ENV
 

.github/workflows/pre-commit.yaml

@@ -22,11 +22,12 @@ jobs:
 
     - name: Get changed files
       id: file_changes
+      env:
+        BASE_REF: ${{ github.base_ref }}
+        SHA: ${{ github.sha }}
       run: |
-        export DIFF=$(git diff --name-only origin/${{ github.base_ref }} ${{
-          github.sha
-        }})
-        echo "Diff between ${{ github.base_ref }} and ${{ github.sha }}"
+        export DIFF=$(git diff --name-only origin/$BASE_REF $SHA)
+        echo "Diff between $BASE_REF and $SHA"
         echo "files=$( echo "$DIFF" | xargs echo )" >> $GITHUB_OUTPUT
 
     - name: Install shfmt

.github/workflows/reusable-tox.yml

@@ -150,9 +150,10 @@ jobs:
     steps:
     - name: Export requested job-global environment variables
       if: inputs.environment-variables != ''
+      env:
+        INPUT_ENV_VARS: ${{ inputs.environment-variables }}
       run: >-
-        echo '${{ inputs.environment-variables }}'
-        >> "${GITHUB_ENV}"
+        echo "$INPUT_ENV_VARS" >> $GITHUB_ENV
 
     - name: >-
         Switch to using Python v${{ inputs.python-version }}
@@ -273,7 +274,7 @@ jobs:
         path: dist/
 
     - name: >-
-        Pre-populate tox envs: `${{ env.TOXENV }}`
+        Pre-populate tox envs: $TOXENV
       run: >-
         python -Im
         tox
@@ -300,7 +301,7 @@ jobs:
     # But only for 'pytest' env in 'tox'.
     # For details: ../../tox.ini '[testenv:pytest]' 'commands_post'
     - name: >-
-        Run tox envs: `${{ env.TOXENV }}`
+        Run tox envs: $TOXENV
       id: tox-run
       run: >-
         python -Im
@@ -353,13 +354,15 @@ jobs:
         && steps.tox-run.outputs.test-result-files == ''
         && steps.tox-run.outputs.codecov-flags != 'MyPy'
       run: >-
-        cat code-coverage-results.md >> "${GITHUB_STEP_SUMMARY}"
+        cat code-coverage-results.md >> $GITHUB_STEP_SUMMARY
     - name: Re-run the failing tests with maximum verbosity
       if: >-
         !cancelled()
         && failure()
         && inputs.tox-rerun-posargs != ''
       # `exit 1` makes sure that the job remains red with flaky runs
+      env:
+        INPUT_TOX_RERUN_POSARGS: ${{ inputs.tox-rerun-posargs }}
       run: >-
         python -Im
         tox
@@ -369,7 +372,7 @@ jobs:
         -vvvvv
         --skip-pkg-install
         --
-        ${{ inputs.tox-rerun-posargs }}
+        $INPUT_TOX_RERUN_POSARGS
         && exit 1
       shell: bash
     - name: Send coverage data to Codecov