ci: fix semgrep reported run-shell-injection (#4168)

oakrizan · web-flow · commit db2af793a65e · 2025-08-14T08:49:34.000+02:00
diff --git a/.github/actions/build-and-publish-docker/action.yml b/.github/actions/build-and-publish-docker/action.yml
@@ -31,10 +31,14 @@ runs:
 
     - name: "Build docker image"
       shell: bash
-      run: ./scripts/docker-release/build_docker.sh "${{ inputs.release_version }}"
+      run: ./scripts/docker-release/build_docker.sh "${RELEASE_VERSION}"
       env:
         SONATYPE_FALLBACK: 1
+        RELEASE_VERSION: ${{ inputs.release_version }}
+
     - name: "Push docker image"
       if: ${{ inputs.dry_run == 'false' }}
       shell: bash
-      run: ./scripts/docker-release/push_docker.sh "${{ inputs.release_version }}"
+      run: ./scripts/docker-release/push_docker.sh "${RELEASE_VERSION}"
+      env:
+        RELEASE_VERSION: ${{ inputs.release_version }}
diff --git a/.github/workflows/maven-goal-jdk/action.yml b/.github/workflows/maven-goal-jdk/action.yml
@@ -32,9 +32,11 @@ runs:
     - name: Set up TEST_JAVA_BINARY environment variable
       shell: bash
       run: |
-        major_version="$(echo '${{ inputs.test-java-version }}' | sed 's/\([0-9]*\).*/\1/')"
+        major_version="$(echo "${TEST_JAVA_VERSION}" | sed 's/\([0-9]*\).*/\1/')"
         java_home_var=JAVA_HOME_${major_version}_${{ runner.arch }}
         echo "TEST_JAVA_BINARY=${!java_home_var}/bin/java" >> $GITHUB_ENV
+      env:
+        TEST_JAVA_VERSION: ${{ inputs.test-java-version }}
 
     - uses: ./.github/workflows/maven-goal
       with:
diff --git a/.github/workflows/maven-goal/action.yml b/.github/workflows/maven-goal/action.yml
@@ -21,5 +21,7 @@ runs:
         java-version-file: .java-version
         distribution: temurin
         cache: 'maven'
-    - run: ${{ inputs.command }}
+    - run: "${COMMAND}"
       shell: ${{ inputs.shell }}
+      env:
+        COMMAND: ${{ inputs.command }}
diff --git a/.github/workflows/pre-post-release.yml b/.github/workflows/pre-post-release.yml
@@ -101,10 +101,14 @@ jobs:
       - name: Push the ${{ inputs.phase }} release branch
         run: |
           git add --all
-          git commit -m "${{ inputs.phase }} release: elastic-apm-agent ${{ env.RELEASE_VERSION_TAG }}"
+          git commit -m "${PHASE} release: elastic-apm-agent ${{ env.RELEASE_VERSION_TAG }}"
           git push origin ${{ env.BRANCH_NAME }}
+        env:
+          PHASE: ${{ inputs.phase }}
 
       - name: Create the ${{ inputs.phase }} release PR
-        run: gh pr create --title="${{ inputs.pr_title }}" --base main --head ${{ env.BRANCH_NAME }} -b "${{ inputs.pr_body }}"
+        run: gh pr create --title="${PR_TITLE}" --base main --head $BRANCH_NAME -b "${PR_BODY}"
         env:
           GH_TOKEN: ${{ steps.get_token.outputs.token }}
+          PR_TITLE: ${{ inputs.pr_title }}
+          PR_BODY: ${{ inputs.pr_body }}
diff --git a/.github/workflows/stash/action.yml b/.github/workflows/stash/action.yml
@@ -13,8 +13,11 @@ runs:
   using: "composite"
   steps:
     - name: Create stash
-      run: tar -acf ${{ runner.temp }}/${{ inputs.name }}.tar.zst -C ${{ inputs.path }} ./
+      run: tar -acf "${{ runner.temp }}/${ARTIFACT_NAME}".tar.zst -C "${ARTIFACT_PATH}" ./
       shell: bash
+      env:
+        ARTIFACT_NAME: ${{ inputs.name }}
+        ARTIFACT_PATH: ${{ inputs.path }}
 
     - name: Upload stash
       uses: actions/upload-artifact@v4
diff --git a/.github/workflows/unstash/action.yml b/.github/workflows/unstash/action.yml
@@ -19,5 +19,8 @@ runs:
         path: ${{ runner.temp }}
 
     - name: Extract stash
-      run: tar -xf ${{ runner.temp }}/${{ inputs.name }}.tar.zst -C ${{ inputs.path }}
+      run: tar -xf "${{ runner.temp }}/${ARTIFACT_NAME}".tar.zst -C "${ARTIFACT_PATH}"
       shell: bash
+      env:
+        ARTIFACT_NAME: ${{ inputs.name }}
+        ARTIFACT_PATH: ${{ inputs.path }}
diff --git a/.github/workflows/validate-tag/action.yml b/.github/workflows/validate-tag/action.yml
@@ -15,11 +15,13 @@ runs:
       id: validate-tag
       shell: 'bash'
       run: |
-        if ! [ $(echo "${{ inputs.tag }}" | grep -P "(\d{1,2})\.(\d{1,2})\.(\d{1,2})") ]; then
+        if ! [ $(echo "${TAG}" | grep -P "(\d{1,2})\.(\d{1,2})\.(\d{1,2})") ]; then
           echo "Tag should be a SemVer format"
           exit 1
         fi
-        if [ $(git tag -l "${{ inputs.tag }}") ]; then
-          echo "The tag ${{ inputs.tag }} already exists"
+        if [ $(git tag -l "${TAG}") ]; then
+          echo "The tag ${TAG} already exists"
           exit 1
         fi
+      env:
+        TAG: ${{ inputs.tag }}
