redhat-certification · komish · Aug 7, 2025 · Aug 6, 2025
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -64,9 +64,11 @@ jobs:
             - name: Check if only release file in PR
               working-directory: ./chart-verifier
               id: check_version_in_PR
+              env:
+                API_URL: ${{ github.event.pull_request._links.self.href }}
               run: |
                 # check if release file only is included in PR
-                ve1/bin/release-checker --api-url=${{ github.event.pull_request._links.self.href }}
+                ve1/bin/release-checker --api-url="${API_URL}"
 
             - name: Get Date
               id: get-date
@@ -96,10 +98,10 @@ jobs:
               run: |
                   # build a podman image
                   image_tag="test"
-                  echo "Building container image using podman for the tests, tagging as $image_tag"
-                  make build-image IMAGE_TAG=$image_tag
-                  podman build -t quay.io/redhat-certification/chart-verifier:$image_tag .
-                  echo "podman_image_tag=$image_tag" | tee -a $GITHUB_OUTPUT
+                  echo "Building container image using podman for the tests, tagging as ${image_tag}"
+                  make build-image "IMAGE_TAG=${image_tag}"
+                  podman build -t "quay.io/redhat-certification/chart-verifier:${image_tag}" .
+                  echo "podman_image_tag=${image_tag}" | tee -a $GITHUB_OUTPUT
 
             - name: Create tarfile
               id: create-tarfile
@@ -112,6 +114,7 @@ jobs:
               working-directory: ./chart-verifier
               env:
                   KUBECONFIG: /tmp/ci-kubeconfig
+                  EVENT_NUMBER: ${{ github.event.number }}
               run: |
                   # oc login
                   API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d)
@@ -120,11 +123,11 @@ jobs:
                   if [ $GITHUB_REPOSITORY == "redhat-certification/chart-verifier" ]; then
                     # TODO: temporarily allow for skipping TLS verification as the new cluster uses local-only certificates
                     # This if logic isn't removed to remind us to come back and swap this out when a valid cert is put in place.
-                    oc login --insecure-skip-tls-verify --token=${{ secrets.CLUSTER_TOKEN }} --server=${API_SERVER}
+                    oc login --insecure-skip-tls-verify --token="${{ secrets.CLUSTER_TOKEN }}" --server="${API_SERVER}"
                   else
-                    oc login --insecure-skip-tls-verify --token=${{ secrets.CLUSTER_TOKEN }} --server=${API_SERVER}
+                    oc login --insecure-skip-tls-verify --token="${{ secrets.CLUSTER_TOKEN }}" --server="${API_SERVER}"
                   fi
-                  ve1/bin/sa-for-chart-testing --create charts-${{ github.event.number }} --token token.txt --server ${API_SERVER}
+                  ve1/bin/sa-for-chart-testing --create "charts-${EVENT_NUMBER}" --token token.txt --server "${API_SERVER}"
 
             - name: Run the tests
               working-directory: ./chart-verifier
@@ -142,11 +145,12 @@ jobs:
               working-directory: ./chart-verifier
               env:
                   KUBECONFIG: /tmp/ci-kubeconfig
+                  EVENT_NUMBER: ${{ github.event.number }}
               run: |
                   # delete the namespace
                   API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d)
-                  oc login --token=${{ secrets.CLUSTER_TOKEN }} --server=${API_SERVER}
-                  ve1/bin/sa-for-chart-testing --delete charts-${{ github.event.number }}
+                  oc login --token="${{ secrets.CLUSTER_TOKEN }}" --server="${API_SERVER}"
+                  ve1/bin/sa-for-chart-testing --delete "charts-${EVENT_NUMBER}"
 
             - name: Set up Python scripts on main branch
               run: |
@@ -158,16 +162,21 @@ jobs:
 
             - name: Check for restricted files and user permissiom
               id: check_authorization
+              env:
+                API_URL: ${{ github.event.pull_request._links.self.href }}
+                API_USER: ${{ github.event.pull_request.user.login }}
               run: |
                 # check for a restricted file and, if found, check user has permissiom
-                ve1/bin/check-user --api-url=${{ github.event.pull_request._links.self.href }} --user=${{ github.event.pull_request.user.login }}
+                ve1/bin/check-user --api-url="${API_URL}" --user="${API_USER}"
 
             - name: Check if version updated
               id: check_version_updated
               if: ${{ steps.check_version_in_PR.outputs.PR_includes_release == 'true' }}
+              env:
+                PR_VERSION: ${{ steps.check_version_in_PR.outputs.PR_version }}
               run: |
                 # check if version file was changed
-                ve1/bin/release-checker --version=${{ steps.check_version_in_PR.outputs.PR_version }}
+                ve1/bin/release-checker --version="${PR_VERSION}"
 
             - name: Approve PR
               id: approve_pr

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -78,7 +78,9 @@ jobs:
 
     - name: Result from "Send Message to helm_dev slack channel"
       if: ${{ always() &&  github.event_name == 'schedule' && steps.codeql_analysis.conclusion != 'success' }}
-      run: echo "The result was ${{ steps.notify_dev.outputs.slack-result }}"
+      env:
+        SLACK_RESULT: ${{ steps.notify_dev.outputs.slack-result }}
+      run: echo "The result was ${SLACK_RESULT}"
 
     - name: Send message to helm_notify slack channel
       id: notify
@@ -91,4 +93,6 @@ jobs:
 
     - name: Result from "Send Message to helm_notify slack channel"
       if: ${{ always() &&  github.event_name == 'schedule' && steps.codeql_analysis.conclusion == 'success' }}
-      run: echo "The result was ${{ steps.notify.outputs.slack-result }}"
+      env:
+        SLACK_RESULT: ${{ steps.notify.outputs.slack-result }}
+      run: echo "The result was ${SLACK_RESULT}"
diff --git a/.github/workflows/dev_release.yaml b/.github/workflows/dev_release.yaml
@@ -45,7 +45,7 @@ jobs:
               id: create-tarfile
               run: |
                 # check if release file only is included in PR
-                ve1/bin/tar-file --release=${DEV_RELEASE}
+                ve1/bin/tar-file --release="${DEV_RELEASE}"
 
             - name: Delete previous release and tag
               id: delete-previous

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -28,12 +28,14 @@ jobs:
 
       - name: Build container images
         id: build_container_images
+        env:
+          COMMIT_ID: ${{ steps.get_commit_id.outputs.commit_id }}
         run: |
             podman version
             # Build podman images locally
-            make build-image IMAGE_TAG=${{ steps.get_commit_id.outputs.commit_id }} QUAY_EXPIRE_AFTER=1w
+            make build-image "IMAGE_TAG=${COMMIT_ID}" QUAY_EXPIRE_AFTER=1w
             make build-image IMAGE_TAG=main
-            podman tag ${{ env.CONTAINER_REGISTRY }}/chart-verifier:main ${{ env.CONTAINER_REGISTRY }}/chart-verifier:${{ env.DEV_RELEASE }}
+            podman tag "${CONTAINER_REGISTRY}/chart-verifier:main" "${CONTAINER_REGISTRY}/chart-verifier:${DEV_RELEASE}"
 
       - name: Push to quay.io
         id: push_to_quay

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -60,25 +60,31 @@ jobs:
 
       - name: Build binary and make tarball
         id: build_bin
+        env:
+          RELEASE_VERSION: ${{ steps.get_tag.outputs.release_version }}
         run: |
           make bin
-          TARBALL_NAME="chart-verifier-${{ steps.get_tag.outputs.release_version }}.tgz"
-          tar -zcvf $TARBALL_NAME -C out/ chart-verifier
-          export TARBALL_PATH=$(realpath $TARBALL_NAME)
+          TARBALL_NAME="chart-verifier-${RELEASE_VERSION}.tgz"
+          tar -zcvf "$TARBALL_NAME" -C out/ chart-verifier
+          export TARBALL_PATH=$(realpath "$TARBALL_NAME")
           echo "tarball_path=$TARBALL_PATH" | tee -a $GITHUB_OUTPUT
 
       - name: Check that the tag matches the current version
         id: check_tag_and_version
+        env:
+          RELEASE_VERSION: ${{ steps.get_tag.outputs.release_version }}
         run: |
-          release_version=${{ steps.get_tag.outputs.release_version }}
           bin_version=$(out/chart-verifier version --as-data | jq -r .version)
-          if [[ "$release_version" != "$bin_version" ]]; then
-            echo "Binary version ($bin_version) doesn't match tag ($release_version)" && exit 1
+          if [[ "${RELEASE_VERSION}" != "$bin_version" ]]; then
+            echo "Binary version ($bin_version) doesn't match tag (${RELEASE_VERSION})" && exit 1
           fi
 
       - name: Generate SBOM filename
         id: generate_sbom_filename
-        run: echo sbom_filename="${{ github.event.repository.name }}-${{ steps.get_tag.outputs.release_version }}-sbom.spdx.json" | tee -a $GITHUB_OUTPUT
+        env:
+          REPOSITORY_NAME: ${{ github.event.repository.name }}
+          RELEASE_VERSION: ${{ steps.get_tag.outputs.release_version }}
+        run: echo sbom_filename="${REPOSITORY_NAME}-${RELEASE_VERSION}-sbom.spdx.json" | tee -a $GITHUB_OUTPUT
 
       - name: Generate SBOM
         continue-on-error: true
@@ -122,12 +128,14 @@ jobs:
 
       - name: Build container images
         id: build_container_images
+        env:
+          RELEASE_VERSION: ${{ steps.get_tag.outputs.release_version }}
         run: |
             # Build podman images locally
-            make build-image IMAGE_TAG=${{ steps.get_tag.outputs.release_version }} IMAGE_REPO=${{ secrets.IMAGE_REGISTRY }}
+            make build-image "IMAGE_TAG=${RELEASE_VERSION}" "IMAGE_REPO=${{ secrets.IMAGE_REGISTRY }}"
             podman tag \
-              ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get_tag.outputs.release_version }} \
-              ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+              "${{ secrets.IMAGE_REGISTRY }}/${IMAGE_NAME}:${RELEASE_VERSION}" \
+              "${{ secrets.IMAGE_REGISTRY }}/${IMAGE_NAME}:latest"
 
       - name: Push to quay.io
         id: push_to_quay
@@ -143,16 +151,20 @@ jobs:
 
       - name: Sign published image
         id: sign-image
+        env:
+          DIGEST: ${{ steps.push_to_quay.outputs.digest }}
         run: |
           cosign sign \
             --yes \
-            --registry-username ${{ secrets.QUAY_BOT_USERNAME }} \
-            --registry-password ${{ secrets.QUAY_BOT_TOKEN }} \
-            ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push_to_quay.outputs.digest }}
+            --registry-username "${{ secrets.QUAY_BOT_USERNAME }}" \
+            --registry-password "${{ secrets.QUAY_BOT_TOKEN }}" \
+            "${{ secrets.IMAGE_REGISTRY }}/${IMAGE_NAME}@${DIGEST}"
 
       - name: Verify the image signature
+        env:
+          RELEASE_VERSION: ${{ steps.get_tag.outputs.release_version }}
         run: |
           cosign verify \
-            --certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release.yaml@refs/tags/${{ steps.get_tag.outputs.release_version }} \
+            --certificate-identity "https://github.com/${GITHUB_REPOSITORY}/.github/workflows/release.yaml@refs/tags/${RELEASE_VERSION}" \
             --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-            ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get_tag.outputs.release_version }}
+            "${{ secrets.IMAGE_REGISTRY }}/${IMAGE_NAME}:${RELEASE_VERSION}"