GH actions: do not interpolate template variables in run blocks. (#1284)

jglogan · web-flow · commit 8653507f808b · 2026-03-03T14:13:32.000-08:00
- Prevents injection of code during CI build.
diff --git a/.github/workflows/common.yml b/.github/workflows/common.yml
@@ -49,9 +49,11 @@ jobs:
           DEVELOPER_DIR: "/Applications/Xcode-latest.app/Contents/Developer"
 
       - name: Set build configuration
+        env:
+          RELEASE: ${{ inputs.release }}
         run: |
           echo "BUILD_CONFIGURATION=debug" >> $GITHUB_ENV
-          if [[ "${{ inputs.release }}" == "true" ]]; then
+          if [[ "${RELEASE}" == "true" ]]; then
             echo "BUILD_CONFIGURATION=release" >> $GITHUB_ENV
           fi
 
@@ -65,8 +67,8 @@ jobs:
       - name: Create package
         run: |
           mkdir -p outputs
-          mv bin/${{ env.BUILD_CONFIGURATION }}/container-installer-unsigned.pkg outputs
-          mv bin/${{ env.BUILD_CONFIGURATION }}/bundle/container-dSYM.zip outputs
+          mv "bin/${BUILD_CONFIGURATION}/container-installer-unsigned.pkg" outputs
+          mv "bin/${BUILD_CONFIGURATION}/bundle/container-dSYM.zip" outputs
 
       - name: Test the container project
         run: |
diff --git a/.github/workflows/docs-release.yml b/.github/workflows/docs-release.yml
@@ -14,7 +14,9 @@ jobs:
     if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags') || startsWith(github.ref, 'refs/heads/release')
     steps:
       - name: Branch validation
-        run: echo "Branch ${{ github.ref_name }} is allowed"
+        env:
+          REF_NAME: ${{ github.ref_name }}
+        run: echo "Branch ${REF_NAME} is allowed"
 
   buildSite:
     name: Build application website
diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
@@ -15,8 +15,10 @@ jobs:
       - name: Check all commits are signed
         env:
           GH_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
-          commits=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits --paginate)
+          commits=$(gh api "repos/${REPO}/pulls/${PR_NUMBER}/commits" --paginate)
           unsigned_commits=""
 
           while IFS='|' read -r sha author verified; do
diff --git a/.github/workflows/pr-label-analysis.yml b/.github/workflows/pr-label-analysis.yml
@@ -14,9 +14,11 @@ jobs:
     
     steps:
       - name: Save PR metadata
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
           mkdir -p ./pr-metadata
-          echo "${{ github.event.pull_request.number }}" > ./pr-metadata/pr-number.txt
+          echo "${PR_NUMBER}" > ./pr-metadata/pr-number.txt
       
       - name: Upload PR metadata as artifact
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
