Avoid running malicious inputs as shell commands in Custom GitHub actions and relate workflows

.github/workflows/github-actions-create-test-build.yml

@@ -20,9 +20,10 @@ jobs:
           install-deps: "no"
 
       - name: Create and commit test build
+        env:
+          BRANCH_NAME: ${{ github.ref_name }}
         run: |
           REPO_URL="${{ github.server_url }}/${{ github.repository }}"
-          BRANCH_NAME="${{ github.ref_name }}"
           TEST_BRANCH_NAME="${BRANCH_NAME}-test-build"
 
           .github/scripts/github-actions-create-and-commit-build.sh "$REPO_URL" "$BRANCH_NAME"

.github/workflows/github-actions-delete-test-build.yml

@@ -15,8 +15,9 @@ jobs:
           ref: trunk
 
       - name: Delete test build branch
+        env:
+          BRANCH_NAME: ${{ format('{0}-test-build', github.event.ref) }}
         run: |
-          BRANCH_NAME="${{ github.event.ref }}-test-build"
           REMOTE_BRANCH_NAME="origin/${BRANCH_NAME}"
 
           git fetch --prune --no-tags --depth=1 origin

packages/github-actions/actions/automerge-released-trunk/action.yml

@@ -11,10 +11,12 @@ runs:
       if: ${{ github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/') && github.event.pull_request.user.login == 'github-actions[bot]' }}
       # Use the github-actions bot account to commit.
       # https://api.github.com/users/github-actions%5Bbot%5D
+      env:
+        HEAD_REF: ${{ github.head_ref }}
       run: |
         git config user.name github-actions[bot]
         git config user.email 41898282+github-actions[bot]@users.noreply.github.com
         git fetch origin develop trunk --unshallow --no-tags
         git checkout develop
-        git merge --no-ff origin/trunk -m "Automerge ${{ github.head_ref }} from trunk to develop"
+        git merge --no-ff origin/trunk -m "Automerge ${HEAD_REF} from trunk to develop"
         git push

packages/github-actions/actions/eslint-annotation/action.yml

@@ -11,8 +11,9 @@ runs:
   steps:
     # Copy formatter script to the destination file path.
     - shell: bash
+      env:
+        SCRIPT_DEST: ${{ inputs.formatter-dest }}
       run: |
-        SCRIPT_DEST="${{ inputs.formatter-dest }}"
         mkdir -p $(dirname "$SCRIPT_DEST")
         echo '/* eslint-disable */' > "$SCRIPT_DEST"
         cat "${{ github.action_path }}/eslintFormatter.cjs" >> "$SCRIPT_DEST"

packages/github-actions/actions/merge-trunk-develop-pr/action.yml

@@ -9,11 +9,11 @@ runs:
       uses: actions/github-script@v6
       with:
         script: |
-          const title = '${{github.event.pull_request.title}} - Merge `trunk` to `develop`';
+          const title = `${ context.payload.pull_request.title } - Merge \`trunk\` to \`develop\``;
           const opts = await github.rest.pulls.create( {
             ...context.repo,
             base: 'develop',
             head: 'trunk',
             title,
-            body: '${{ github.event.pull_request.html_url }}',
+            body: context.payload.pull_request.html_url,
           } );

packages/github-actions/actions/prepare-extension-release/action.yml

@@ -37,20 +37,25 @@ runs:
   steps:
     - name: Set release branch name
       id: release-vars
+      env:
+        INPUT_TYPE: ${{ inputs.type }}
+        INPUT_VERSION: ${{ inputs.version }}
       shell: bash
-      run: echo "branch=${{ inputs.type }}/${{ inputs.version }}" >> $GITHUB_OUTPUT
+      run: echo "branch=${INPUT_TYPE}/${INPUT_VERSION}" >> $GITHUB_OUTPUT
 
     - name: Prepare release commits
+      env:
+        BRANCH_NAME: ${{ steps.release-vars.outputs.branch }}
       shell: bash
        # Use the github-actions bot account to commit.
        # https://api.github.com/users/github-actions%5Bbot%5D
       run: |
         git config user.name github-actions[bot]
         git config user.email 41898282+github-actions[bot]@users.noreply.github.com
-        git checkout -b ${{ steps.release-vars.outputs.branch }}
+        git checkout -b "${BRANCH_NAME}"
 
-        git commit --allow-empty -q -m "Start \`${{ steps.release-vars.outputs.branch }}\`."
-        git push --set-upstream origin ${{ steps.release-vars.outputs.branch }}
+        git commit --allow-empty -q -m "Start \`${BRANCH_NAME}\`."
+        git push --set-upstream origin "${BRANCH_NAME}"
     - name: Create a pull request for the release
       id: prepare-release-pr
       uses: actions/github-script@v6
@@ -64,11 +69,9 @@ runs:
             context,
             github,
             inputs,
-            refName: '${{ steps.release-vars.outputs.branch }}'
+            refName: `${ inputs.type }/${ inputs.version }`,
           } );
     - name: Generate summary
       shell: bash
       run: |
         echo "Release PR created at ${{  fromJSON(steps.prepare-release-pr.outputs.result).html_url }}" >> $GITHUB_STEP_SUMMARY
-
-

packages/github-actions/actions/prepare-node/action.yml

@@ -44,11 +44,11 @@ runs:
 
     # Install node dependencies.
     - shell: bash
+      env:
+        INSTALL_DEPS: ${{ inputs.install-deps }}
+        IGNORE_SCRIPTS: ${{ inputs.ignore-scripts }}
       # `actions/setup-node` should update npm cache directory if `package-lock` has changed.
       run: |
-        INSTALL_DEPS="${{ inputs.install-deps }}"
-        IGNORE_SCRIPTS="${{ inputs.ignore-scripts }}"
-
         COLOR_INFO="\033[38;5;39m"
         COLOR_END="\033[0m"
 

packages/github-actions/actions/prepare-php/action.yml

@@ -58,8 +58,9 @@ runs:
 
     # Install Composer dependencies.
     - shell: bash
+      env:
+        INSTALL_DEPS: ${{ inputs.install-deps }}
       run: |
-        INSTALL_DEPS="${{ inputs.install-deps }}"
         COMPOSER_VER=$(composer --version | awk '{ print $3 }')
 
         COLOR_INFO="\033[38;5;39m"

packages/github-actions/actions/run-qit-annotate/action.yml

@@ -58,11 +58,14 @@ runs:
         zip: ${{ inputs.extension-file &&  format('--zip={0}', inputs.extension-file) || '' }}
         wait: ${{ inputs.wait == 'true' && '--wait' || '' }}
         ignore_fail: ${{ inputs.ignore-fail == 'true' && '--ignore-fail' || '' }}
+        type: ${{ inputs.type }}
+        extension: ${{ inputs.extension }}
+        options: ${{ inputs.options }}
       run: |
-        json=`./vendor/bin/qit run:${{ inputs.type }} \
-         ${{ inputs.extension }} \
+        json=`./vendor/bin/qit run:${type} \
+         ${extension} \
          $zip \
-         ${{ inputs.options }} \
+         ${options} \
          $wait \
          $ignore_fail \
          -n \
@@ -85,8 +88,10 @@ runs:
     # Annotate the results according to the status, forward qit exit code.
     - name: Annotate and exit
       shell: bash
+      env:
+        type: ${{ inputs.type }}
       run: |
-        summary="${{ inputs.type }} (${{ steps.read-summary.outputs.test_run_id }}): ${{ steps.read-summary.outputs.status }} - ${{ steps.read-summary.outputs.summary }} \`qit get ${{ steps.read-summary.outputs.test_run_id }}\`";
+        summary="${type} (${{ steps.read-summary.outputs.test_run_id }}): ${{ steps.read-summary.outputs.status }} - ${{ steps.read-summary.outputs.summary }} \`qit get ${{ steps.read-summary.outputs.test_run_id }}\`";
         case ${{ steps.read-summary.outputs.status }} in
           "success") echo "::notice ::$summary"
           ;;

packages/github-actions/actions/stylelint-annotation/action.yml

@@ -11,8 +11,9 @@ runs:
   steps:
     # Copy formatter script to the destination file path.
     - shell: bash
+      env:
+        SCRIPT_DEST: ${{ inputs.formatter-dest }}
       run: |
-        SCRIPT_DEST="${{ inputs.formatter-dest }}"
         mkdir -p $(dirname "$SCRIPT_DEST")
         echo '/* eslint-disable */' > "$SCRIPT_DEST"
         cat "${{ github.action_path }}/stylelintFormatter.cjs" >> "$SCRIPT_DEST"