address sourcery comment to prevent injection vulnerabilities

saichandrapandraju · saichandrapandraju · commit 63c2c0fe8686 · 2025-08-08T10:25:11.000-04:00
diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml
@@ -47,36 +47,48 @@ jobs:
       #
       # Print variables for debugging
       - name: Log reference variables
+        env:
+          GITHUB_REF: ${{ github.ref }}
+          GITHUB_HEAD_REF: ${{ github.head_ref }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          QUAY_RELEASE_REPO: ${{ vars.QUAY_RELEASE_REPO }}
         run: |
-          echo "CONTEXT: ${{ env.BUILD_CONTEXT }}"
-          echo "GITHUB.REF: ${{ github.ref }}"
-          echo "GITHUB.HEAD_REF: ${{ github.head_ref }}"
-          echo "SHA: ${{ github.event.pull_request.head.sha }}"
-          echo "MAIN IMAGE AT: ${{ vars.QUAY_RELEASE_REPO }}:latest"
-          echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}"
-          echo "Built-In Detector CI IMAGE AT: quay.io/trustyai/guardrails-detector-built-in-ci:${{ github.event.pull_request.head.sha }}"
-          echo "LLM Judge CI IMAGE AT: quay.io/trustyai/guardrails-detector-llm-judge-ci:${{ github.event.pull_request.head.sha }}"
+          echo "CONTEXT: $BUILD_CONTEXT"
+          echo "GITHUB.REF: $GITHUB_REF"
+          echo "GITHUB.HEAD_REF: $GITHUB_HEAD_REF"
+          echo "SHA: $PR_HEAD_SHA"
+          echo "MAIN IMAGE AT: $QUAY_RELEASE_REPO:latest"
+          echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA"
+          echo "Built-In Detector CI IMAGE AT: quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA"
+          echo "LLM Judge CI IMAGE AT: quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA"
 
       # Set environments depending on context
       - name: Set CI environment
         if:  env.BUILD_CONTEXT == 'ci'
+        env:
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
         run: |
-          echo "TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
+          echo "TAG=$PR_HEAD_SHA" >> $GITHUB_ENV
           echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-huggingface-runtime-ci" >> $GITHUB_ENV
           echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in-ci" >> $GITHUB_ENV
           echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge-ci" >> $GITHUB_ENV
       - name: Set main-branch environment
         if:  env.BUILD_CONTEXT == 'main'
+        env:
+          QUAY_RELEASE_REPO: ${{ vars.QUAY_RELEASE_REPO }}
         run: |
           echo "TAG=latest" >> $GITHUB_ENV
-          echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV
+          echo "IMAGE_NAME=$QUAY_RELEASE_REPO" >> $GITHUB_ENV
           echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV
           echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV
       - name: Set tag environment
         if: env.BUILD_CONTEXT == 'tag'
+        env:
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+          QUAY_RELEASE_REPO: ${{ vars.QUAY_RELEASE_REPO }}
         run: |
-          echo "TAG=${{ github.ref_name }}" >> $GITHUB_ENV
-          echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV
+          echo "TAG=$GITHUB_REF_NAME" >> $GITHUB_ENV
+          echo "IMAGE_NAME=$QUAY_RELEASE_REPO" >> $GITHUB_ENV
           echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV
           echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV
       #
@@ -88,19 +100,22 @@ jobs:
           echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.builtIn
           echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.judge
       - name: Build image
-        run: docker build -t ${{ env.IMAGE_NAME }}:$TAG -f detectors/Dockerfile.hf detectors
+        run: docker build -t "$IMAGE_NAME:$TAG" -f detectors/Dockerfile.hf detectors
       - name: Log in to Quay
-        run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io
+        env:
+          QUAY_ROBOT_USERNAME: ${{ secrets.QUAY_ROBOT_USERNAME }}
+          QUAY_ROBOT_SECRET: ${{ secrets.QUAY_ROBOT_SECRET }}
+        run: docker login -u "$QUAY_ROBOT_USERNAME" -p "$QUAY_ROBOT_SECRET" quay.io
       - name: Push to Quay CI repo
-        run: docker push ${{ env.IMAGE_NAME }}:$TAG
+        run: docker push "$IMAGE_NAME:$TAG"
       - name: Build built-in detector image
-        run: docker build -t ${{ env.BUILTIN_IMAGE_NAME }}:$TAG -f detectors/Dockerfile.builtIn detectors
+        run: docker build -t "$BUILTIN_IMAGE_NAME:$TAG" -f detectors/Dockerfile.builtIn detectors
       - name: Push to Quay CI repo
-        run: docker push ${{ env.BUILTIN_IMAGE_NAME }}:$TAG
+        run: docker push "$BUILTIN_IMAGE_NAME:$TAG"
       - name: Build LLM Judge detector image
-        run: docker build -t ${{ env.LLM_JUDGE_IMAGE_NAME }}:$TAG -f detectors/Dockerfile.judge detectors
+        run: docker build -t "$LLM_JUDGE_IMAGE_NAME:$TAG" -f detectors/Dockerfile.judge detectors
       - name: Push LLM Judge image to Quay CI repo
-        run: docker push ${{ env.LLM_JUDGE_IMAGE_NAME }}:$TAG
+        run: docker push "$LLM_JUDGE_IMAGE_NAME:$TAG"
       # Leave comment
       - uses: peter-evans/find-comment@v3
         name: Find Comment
@@ -113,16 +128,18 @@ jobs:
       - uses: peter-evans/create-or-update-comment@v4
         if:  env.BUILD_CONTEXT == 'ci'
         name: Generate/update success message comment
+        env:
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
         with:
           comment-id: ${{ steps.fc.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}
           edit-mode: replace
           body: |
             PR image build completed successfully!
             
-            📦 [PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}`
-            📦 [PR image](https://quay.io/trustyai/guardrails-detector-built-in-ci?tab=tags): `quay.io/trustyai/guardrails-detector-built-in-ci:${{ github.event.pull_request.head.sha }}`
-            📦 [PR image](https://quay.io/trustyai/guardrails-detector-llm-judge-ci?tab=tags): `quay.io/trustyai/guardrails-detector-llm-judge-ci:${{ github.event.pull_request.head.sha }}`
+            📦 [PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA`
+            📦 [PR image](https://quay.io/trustyai/guardrails-detector-built-in-ci?tab=tags): `quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA`
+            📦 [PR image](https://quay.io/trustyai/guardrails-detector-llm-judge-ci?tab=tags): `quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA`
       - name: Trivy scan
         uses: aquasecurity/trivy-action@0.28.0
         with:
