ci: use env vars to avoid template expansion in code contexts

Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection

To avoid this, instead use environment variables to safely store the
values of the template expansions.

Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>

Author: HastD

.github/workflows/dev-bump.yml

@@ -22,8 +22,7 @@ jobs:
       - name: Bump
         id: bump
         run: |
-          ref=${{ github.ref_name }}
-          version=${ref#v}
+          version=${GITHUB_REF_NAME#v}
           if [[ $version == *-rc* ]]; then
               devbump="${version%-*}-dev"
               echo "::notice:: is a rc - bumping z down to $devbump"
@@ -38,49 +37,52 @@ jobs:
 
           echo "devbump=$devbump" >> $GITHUB_OUTPUT
       - name: Push
+        env:
+          DEVBUMP: ${{ steps.bump.outputs.devbump }}
         run: |
           # Make committer the user who triggered the action, either through cutting a release or manual trigger
           # GitHub gives everyone a noreply email associated with their account, use that email for the sign-off
-          git config --local user.name ${{ github.actor }}
-          git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
-          bumpbranch="bump-${{ steps.bump.outputs.devbump }}"
+          git config --local user.name "${GITHUB_ACTOR}"
+          git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
+          bumpbranch="bump-${DEVBUMP}"
           git checkout -b $bumpbranch
           git add version/rawversion/version.go
-          git commit --signoff -m "Bump Podman to v${{ steps.bump.outputs.devbump }}"
+          git commit --signoff -m "Bump Podman to v${DEVBUMP}"
           git remote add podmanbot https://github.com/podmanbot/podman
           git push -f podmanbot "$bumpbranch"
       - name: Check open PRs
         id: checkpr
         env:
+          DEVBUMP: ${{ steps.bump.outputs.devbump }}
           GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
         run: |
           prs=$(gh pr list \
-            --repo ${{ github.repository }} \
-            --head bump-${{ steps.bump.outputs.devbump }} \
+            --repo "${GITHUB_REPOSITORY}" \
+            --head "bump-${DEVBUMP}" \
             --state open \
             --json title \
             --jq 'length')
           if ((prs > 0)); then
-            echo "SKIPPING: PR already exists to update from ${{ github.ref_name }}."
+            echo "SKIPPING: PR already exists to update from ${GITHUB_REF_NAME}."
           else
             echo "prexists=false" >> "$GITHUB_OUTPUT"
           fi
       - name: Open PR
         if: steps.checkpr.outputs.prexists == 'false'
         id: pr
+        env:
+          DEVBUMP: ${{ steps.bump.outputs.devbump }}
+          GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
         run: |
-          bumpbranch="bump-${{ steps.bump.outputs.devbump }}"
-          ref=${{ github.ref_name }}
-          base=${ref%.*}
+          bumpbranch="bump-${DEVBUMP}"
+          base=${GITHUB_REF_NAME%.*}
           body=$(printf '```release-note\nNone\n```\n')
           gh pr create \
-            --title "Bump Podman to v${{ steps.bump.outputs.devbump }}" \
+            --title "Bump Podman to v${DEVBUMP}" \
             --body  "$body" \
             --head "podmanbot:$bumpbranch" \
             --base "$base" \
-            --repo ${{ github.repository }}
-        env:
-          GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
+            --repo "${GITHUB_REPOSITORY}"
   mainbump:
     name: Bump on main
     runs-on: ubuntu-latest
@@ -99,8 +101,7 @@ jobs:
         id: check
         run: |
           mainvers=`grep -P '(?<=const RawVersion = ")(\d.\d)' -o version/rawversion/version.go`
-          ref=${{ github.ref_name }}
-          releasevers=${ref#v}
+          releasevers=${GITHUB_REF_NAME#v}
           if echo "${mainvers},${releasevers}" | tr ',' '\n' | sort -V -C
           then
               echo "bump=true" >> $GITHUB_OUTPUT
@@ -112,8 +113,7 @@ jobs:
         id: bump
         if: steps.check.outputs.bump == 'true'
         run: |
-          ref=${{ github.ref_name }}
-          releasevers=${ref#v}
+          releasevers=${GITHUB_REF_NAME#v}
 
           arr=($(echo "$releasevers" | tr . '\n'))
           arr[1]=$((${arr[1]}+1))
@@ -126,44 +126,48 @@ jobs:
           echo "devbump=$devbump" >> $GITHUB_OUTPUT
       - name: Push
         if: steps.check.outputs.bump == 'true'
+        env:
+          DEVBUMP: ${{ steps.bump.outputs.devbump }}
         run: |
           # Make committer the user who triggered the action, either through cutting a release or manual trigger
-          # GitHub gisves everyone a noreply email associated with their account, use that email for the sign-off
-          git config --local user.name ${{ github.actor }}
-          git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
-          bumpbranch="bump-main-${{ steps.bump.outputs.devbump }}"
+          # GitHub gives everyone a noreply email associated with their account, use that email for the sign-off
+          git config --local user.name "${GITHUB_ACTOR}"
+          git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
+          bumpbranch="bump-main-${DEVBUMP}"
           git checkout -b $bumpbranch
           git add version/rawversion/version.go
-          git commit --signoff -m "Bump main to v${{ steps.bump.outputs.devbump }}"
+          git commit --signoff -m "Bump main to v${DEVBUMP}"
           git remote add podmanbot https://github.com/podmanbot/podman
           git push -f podmanbot "$bumpbranch"
       - name: Check open PRs
         id: checkpr
         if: steps.check.outputs.bump == 'true'
         env:
+          DEVBUMP: ${{ steps.bump.outputs.devbump }}
           GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
         run: |
           prs=$(gh pr list \
-            --repo ${{ github.repository }} \
-            --head bump-main-${{ steps.bump.outputs.devbump }} \
+            --repo "${GITHUB_REPOSITORY}" \
+            --head "bump-main-${DEVBUMP}" \
             --state open \
             --json title \
             --jq 'length')
           if ((prs > 0)); then
-            echo "SKIPPING: PR already exists to update to ${{ steps.bump.outputs.devbump }}."
+            echo "SKIPPING: PR already exists to update to ${DEVBUMP}."
           else
             echo "prexists=false" >> "$GITHUB_OUTPUT"
           fi
       - name: Open PR
         if: steps.check.outputs.bump == 'true' &&  steps.checkpr.outputs.prexists == 'false'
+        env:
+          DEVBUMP: ${{ steps.bump.outputs.devbump }}
+          GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
         run: |
-          bumpbranch="bump-main-${{ steps.bump.outputs.devbump }}"
+          bumpbranch="bump-main-${DEVBUMP}"
           body=$(printf '```release-note\nNone\n```\n')
           gh pr create \
-            --title "Bump main to v${{ steps.bump.outputs.devbump }}" \
+            --title "Bump main to v${DEVBUMP}" \
             --body  "$body" \
             --head "podmanbot:$bumpbranch" \
             --base "main" \
-            --repo ${{ github.repository }}
-        env:
-          GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
+            --repo "${GITHUB_REPOSITORY}"

.github/workflows/first_contrib_cert_generator.yml

@@ -65,10 +65,11 @@ jobs:
       # Step 3: Update the HTML file locally
       - name: Update HTML file
         if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }}
+        env:
+          CONTRIBUTOR_NAME: ${{ github.event.inputs.contributor_username || github.event.pull_request.user.login }}
+          PR_NUMBER: ${{ github.event.inputs.pr_number || github.event.pull_request.number }}
         run: |
           HTML_FILE="automation-repo/certificate-generator/certificate_generator.html"
-          CONTRIBUTOR_NAME="${{ github.event.inputs.contributor_username || github.event.pull_request.user.login }}"
-          PR_NUMBER="${{ github.event.inputs.pr_number || github.event.pull_request.number }}"
           MERGE_DATE=$(date -u +"%B %d, %Y")
 
           sed --sandbox -i -e "/id=\"contributorName\"/s/value=\"[^\"]*\"/value=\"${CONTRIBUTOR_NAME}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update contributor name."; exit 1; }
@@ -120,6 +121,10 @@ jobs:
       - name: Upload certificate to separate repository
         if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }}
         uses: actions/github-script@v8
+        env:
+          CONTRIBUTOR_USERNAME: ${{ github.event.inputs.contributor_username }}
+          USER_LOGIN: ${{ github.event.pull_request.user.login }}
+          PR_NUMBER: ${{ github.event.inputs.pr_number }}
         with:
           github-token: ${{ secrets.CERTIFICATES_REPO_TOKEN }}
           script: |
@@ -157,10 +162,10 @@ jobs:
               // Create a unique filename with timestamp
               const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
               const contributorName = context.eventName === 'workflow_dispatch'
-                ? '${{ github.event.inputs.contributor_username }}'
-                : '${{ github.event.pull_request.user.login }}';
+                ? process.env.CONTRIBUTOR_USERNAME
+                : process.env.USER_LOGIN;
               const prNumber = context.eventName === 'workflow_dispatch'
-                ? '${{ github.event.inputs.pr_number }}'
+                ? process.env.PR_NUMBER
                 : context.issue.number;
 
               const filename = `certificates/${contributorName}-${prNumber}-${timestamp}.png`;
@@ -219,6 +224,10 @@ jobs:
       - name: Comment with embedded certificate image
         if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }}
         uses: actions/github-script@v8
+        env:
+          CONTRIBUTOR_USERNAME: ${{ github.event.inputs.contributor_username }}
+          USER_LOGIN: ${{ github.event.pull_request.user.login }}
+          PR_NUMBER: ${{ github.event.inputs.pr_number }}
         with:
           script: |
             try {
@@ -240,17 +249,17 @@ jobs:
 
               if (context.eventName === 'workflow_dispatch') {
                 // Manual trigger case
-                const contributorName = '${{ github.event.inputs.contributor_username }}';
-                const prNumber = '${{ github.event.inputs.pr_number }}';
+                const contributorName = process.env.CONTRIBUTOR_USERNAME;
+                const prNumber = process.env.PR_NUMBER;
                 body = `📜 Certificate preview generated for @${contributorName} (PR #${prNumber}):\n\n${body}`;
               } else {
                 // Auto trigger case for first-time contributors
-                const username = '${{ github.event.pull_request.user.login }}';
+                const username = process.env.USER_LOGIN;
                 body = `🎉 Congratulations on your first merged pull request, @${username}! Thank you for your contribution.\n\nHere's a preview of your certificate:\n\n${body}`;
               }
 
               const issueNumber = context.eventName === 'workflow_dispatch' ?
-                parseInt('${{ github.event.inputs.pr_number }}') :
+                parseInt(process.env.PR_NUMBER) :
                 context.issue.number;
 
               await github.rest.issues.createComment({

.github/workflows/mac-pkg.yml

@@ -37,33 +37,42 @@ jobs:
     steps:
     - name: Consolidate dryrun setting to always be true or false
       id: actual_dryrun
+      env:
+        INPUT_DRYRUN: ${{ inputs.dryrun }}
       run: |
         # The 'release' trigger will not have a 'dryrun' input set. Handle
         # this case in a readable/maintainable way.
-        if [[ -z "${{ inputs.dryrun }}" ]]
+        if [[ -z "${INPUT_DRYRUN}" ]]
         then
           echo "dryrun=false" >> $GITHUB_OUTPUT
         else
-          echo "dryrun=${{ inputs.dryrun }}" >> $GITHUB_OUTPUT
+          echo "dryrun=${INPUT_DRYRUN}" >> $GITHUB_OUTPUT
         fi
     - name: Dry Run Status
+      env:
+        DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }}
       run: |
-        echo "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}"
+        echo "::notice::This workflow execution will be a dry-run: ${DRYRUN}"
     - name: Determine Version
       id: getversion
+      env:
+        INPUT_VERSION: ${{ inputs.version }}
+        TAG_NAME: ${{ github.event.release.tag_name }}
       run: |
-        if [[ -z "${{ inputs.version }}" ]]
+        if [[ -z "${INPUT_VERSION}" ]]
         then
-              VERSION=${{ github.event.release.tag_name }}
+              VERSION=${TAG_NAME}
         else
-              VERSION=${{ inputs.version }}
+              VERSION=${INPUT_VERSION}
         fi
         echo
         echo "version=$VERSION" >> $GITHUB_OUTPUT
     - name: Check uploads
       id: check
+      env:
+        VERSION: ${{ steps.getversion.outputs.version }}
       run: |
-        URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}"
+        URI="https://github.com/containers/podman/releases/download/${VERSION}"
         ARM_FILE="podman-installer-macos-arm64.pkg"
         AMD_FILE="podman-installer-macos-amd64.pkg"
         UNIVERSAL_FILE="podman-installer-macos-universal.pkg"
@@ -168,8 +177,9 @@ jobs:
          steps.check.outputs.builduniversal == 'true' )
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        VERSION: ${{ steps.getversion.outputs.version }}
       run: |
-        (gh release download ${{steps.getversion.outputs.version}} -p "shasums" || exit 0)
+        (gh release download "${VERSION}" -p "shasums" || exit 0)
         cat contrib/pkginstaller/out/shasums >> shasums
-        gh release upload ${{steps.getversion.outputs.version}} contrib/pkginstaller/out/podman-installer-macos-*.pkg
-        gh release upload ${{steps.getversion.outputs.version}} --clobber shasums
+        gh release upload "${VERSION}" contrib/pkginstaller/out/podman-installer-macos-*.pkg
+        gh release upload "${VERSION}" --clobber shasums