ci: fix semgrep reported run-shell-injection (#347)

oakrizan · web-flow · commit 07b1c76fd224 · 2025-08-13T09:24:57.000+02:00
* ci: fix semgrep reported run-shell-injection

* updated PR according to reviews
diff --git a/.github/workflows/maven-goal/action.yml b/.github/workflows/maven-goal/action.yml
@@ -25,5 +25,7 @@ runs:
         java-version-file: .java-version
         distribution: ${{ inputs.distribution }}
         cache: 'maven'
-    - run: ${{ inputs.command }}
+    - run: "${COMMAND}"
       shell: ${{ inputs.shell }}
+      env:
+        COMMAND: ${{ inputs.command }}
diff --git a/.github/workflows/pre-post-release.yml b/.github/workflows/pre-post-release.yml
@@ -99,10 +99,14 @@ jobs:
       - name: Push the ${{ inputs.phase }} release branch
         run: |
           git add --all
-          git commit -m "${{ inputs.phase }} release: ecs-logging-java v${{ env.RELEASE_VERSION }}"
+          git commit -m "${PHASE} release: ecs-logging-java v${{ env.RELEASE_VERSION }}"
           git push origin ${{ env.BRANCH_NAME }}
+        env:
+          PHASE: ${{ inputs.phase }}
 
       - name: Create the ${{ inputs.phase }} release PR
-        run: gh pr create --title="${{ inputs.pr_title }}" --base main --head ${{ env.BRANCH_NAME }} -b "${{ inputs.pr_body }}"
+        run: gh pr create --title="${PR_TITLE}" --base main --head ${{ env.BRANCH_NAME }} -b "${PR_BODY}"
         env:
           GH_TOKEN: ${{ steps.get_token.outputs.token }}
+          PR_TITLE: ${{ inputs.pr_title }}
+          PR_BODY: ${{ inputs.pr_body }}
diff --git a/.github/workflows/validate-tag/action.yml b/.github/workflows/validate-tag/action.yml
@@ -15,11 +15,13 @@ runs:
       id: validate-tag
       shell: 'bash'
       run: |
-        if ! [ $(echo "${{ inputs.tag }}" | grep -P "(\d{1,2})\.(\d{1,2})\.(\d{1,2})") ]; then
+        if ! [ $(echo "${TAG}" | grep -P "(\d{1,2})\.(\d{1,2})\.(\d{1,2})") ]; then
           echo "Tag should be a SemVer format"
           exit 1
         fi
-        if [ $(git tag -l "${{ inputs.tag }}") ]; then
-          echo "The tag ${{ inputs.tag }} already exists"
+        if [ $(git tag -l "${TAG}") ]; then
+          echo "The tag ${TAG} already exists"
           exit 1
         fi
+      env:
+        TAG: ${{ inputs.tag }}
