Prevent template injection in GitHub Actions workflows

maennchen · josevalim · commit 32d20fd77c19 · 2026-02-25T12:59:01.000+01:00
Use environment variables instead of direct template expansion in shell run blocks to prevent potential code injection. See: https://docs.zizmor.sh/audits/#template-injection
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -37,11 +37,11 @@ jobs:
         if: github.ref_type != 'branch'
         run: |
           gh release create \
-            --repo ${{ github.repository }} \
-            --title ${{ github.ref_name }} \
+            --repo "$GITHUB_REPOSITORY" \
+            --title "$GITHUB_REF_NAME" \
             --notes '' \
             --draft \
-            ${{ github.ref_name }}
+            "$GITHUB_REF_NAME"
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: github.ref_type == 'branch'
@@ -51,18 +51,18 @@ jobs:
       - name: Update ${{ github.ref_name }}-latest
         if: github.ref_type == 'branch'
         run: |
-          ref_name=${{ github.ref_name }}-latest
+          ref_name="${GITHUB_REF_NAME}-latest"
 
-          if ! gh release view $ref_name; then
+          if ! gh release view "$ref_name"; then
             gh release create \
               --latest=false \
-              --title $ref_name \
-              --notes "Automated release for latest ${{ github.ref_name }}." \
-              $ref_name
+              --title "$ref_name" \
+              --notes "Automated release for latest ${GITHUB_REF_NAME}." \
+              "$ref_name"
           fi
 
-          git tag $ref_name --force
-          git push origin $ref_name --force
+          git tag "$ref_name" --force
+          git push origin "$ref_name" --force
 
   build:
     name: Ubuntu 24.04, OTP ${{ matrix.otp_version }}${{ matrix.build_docs && ' (build docs)' || '' }}
@@ -247,12 +247,16 @@ jobs:
             cp "$ATTESTATION" "attestations/$(basename "$FILE").sigstore"
           done
 
-          cp "$ATTESTATION" "attestations/$(basename "${{ steps.ort.outputs.results-sbom-cyclonedx-xml-path }}").sigstore"
-          cp "$ATTESTATION" "attestations/$(basename "${{ steps.ort.outputs.results-sbom-cyclonedx-json-path }}").sigstore"
-          cp "$ATTESTATION" "attestations/$(basename "${{ steps.ort.outputs.results-sbom-spdx-yml-path }}").sigstore"
-          cp "$ATTESTATION" "attestations/$(basename "${{ steps.ort.outputs.results-sbom-spdx-json-path }}").sigstore"
+          cp "$ATTESTATION" "attestations/$(basename "$SBOM_CYCLONEDX_XML").sigstore"
+          cp "$ATTESTATION" "attestations/$(basename "$SBOM_CYCLONEDX_JSON").sigstore"
+          cp "$ATTESTATION" "attestations/$(basename "$SBOM_SPDX_YML").sigstore"
+          cp "$ATTESTATION" "attestations/$(basename "$SBOM_SPDX_JSON").sigstore"
         env:
           ATTESTATION: "${{ steps.attest-sbom.outputs.bundle-path }}"
+          SBOM_CYCLONEDX_XML: "${{ steps.ort.outputs.results-sbom-cyclonedx-xml-path }}"
+          SBOM_CYCLONEDX_JSON: "${{ steps.ort.outputs.results-sbom-cyclonedx-json-path }}"
+          SBOM_SPDX_YML: "${{ steps.ort.outputs.results-sbom-spdx-yml-path }}"
+          SBOM_SPDX_JSON: "${{ steps.ort.outputs.results-sbom-spdx-json-path }}"
 
       - name: "Assemble Release SBoM Artifacts"
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
@@ -289,14 +293,14 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          if [ "${{ github.ref_type }}" == "branch" ]; then
-            tag=${{ github.ref_name }}-latest
+          if [ "$GITHUB_REF_TYPE" == "branch" ]; then
+            tag="${GITHUB_REF_NAME}-latest"
           else
-            tag="${{ github.ref_name }}"
+            tag="$GITHUB_REF_NAME"
           fi
 
           gh release upload \
-            --repo ${{ github.repository }} \
+            --repo "$GITHUB_REPOSITORY" \
             --clobber \
             "$tag" \
             elixir-otp-*.zip \
@@ -341,12 +345,10 @@ jobs:
 
       - name: Upload Precompiled to S3
         run: |
-          ref_name=${{ github.ref_name }}
-
           oldest_otp=$(find . -type f -name 'elixir-otp-*.zip' | sed -r 's/^.*elixir-otp-([[:digit:]]+)\.zip$/\1/' | sort -n | head -n 1)
 
           for zip in $(find . -type f -name 'elixir-otp-*.zip' | sed 's/^\.\///'); do
-            dest=${zip/elixir/${ref_name}}
+            dest=${zip/elixir/${GITHUB_REF_NAME}}
             surrogate_key=${dest/.zip$/}
 
             aws s3 cp "${zip}" "s3://${AWS_S3_BUCKET}/builds/elixir/${dest}" \
@@ -358,13 +360,13 @@ jobs:
               aws s3 cp "${zip}" "s3://${AWS_S3_BUCKET}/builds/elixir/${ref_name}.zip" \
                 --cache-control "public,max-age=3600" \
                 --metadata "{\"surrogate-key\":\"builds builds/elixir builds/elixir/${ref_name}\",\"surrogate-control\":\"public,max-age=604800\"}"
-              echo builds/elixir/${ref_name} >> purge_keys.txt
+              echo builds/elixir/${GITHUB_REF_NAME} >> purge_keys.txt
             fi
           done
 
       - name: Upload Docs to S3
         run: |
-          version=$(echo ${{ github.ref_name }} | sed -e 's/^v//g')
+          version=$(echo "$GITHUB_REF_NAME" | sed -e 's/^v//g')
 
           unzip Docs.zip
 
@@ -385,7 +387,7 @@ jobs:
       - name: Update builds txt
         run: |
           date="$(date -u '+%Y-%m-%dT%H:%M:%SZ')"
-          ref_name=${{ github.ref_name }}
+          ref_name="$GITHUB_REF_NAME"
 
           oldest_otp=$(find . -name 'elixir-otp-*.zip.sha256sum' | sed -r 's/^.*elixir-otp-([[:digit:]]+)\.zip\.sha256sum$/\1/' | sort -n | head -n 1)
 
diff --git a/.github/workflows/release_notifications.yml b/.github/workflows/release_notifications.yml
@@ -31,4 +31,4 @@ jobs:
           ELIXIR_FORUM_TOKEN: ${{ secrets.ELIXIR_FORUM_TOKEN }}
           ELIXIR_LANG_ANN_TOKEN: ${{ secrets.ELIXIR_LANG_ANN_TOKEN }}
         run: |
-          elixir .github/workflows/notify.exs ${{ github.ref_name }}
+          elixir .github/workflows/notify.exs "$GITHUB_REF_NAME"
diff --git a/.github/workflows/release_pre_built/action.yml b/.github/workflows/release_pre_built/action.yml
@@ -27,8 +27,10 @@ runs:
       shell: bash
       run: |
         make Precompiled.zip
-        mv Precompiled.zip elixir-otp-${{ inputs.otp }}.zip
+        mv Precompiled.zip "elixir-otp-${INPUT_OTP}.zip"
         echo "$PWD/bin" >> $GITHUB_PATH
+      env:
+        INPUT_OTP: ${{ inputs.otp }}
 
     - name: Install NSIS
       shell: bash
@@ -39,15 +41,18 @@ runs:
     - name: Build Elixir Windows Installer
       shell: bash
       run: |
-        export OTP_VERSION=${{ inputs.otp_version }}
-        export ELIXIR_ZIP=$PWD/elixir-otp-${{ inputs.otp }}.zip
+        export OTP_VERSION="$INPUT_OTP_VERSION"
+        export ELIXIR_ZIP="$PWD/elixir-otp-${INPUT_OTP}.zip"
         (cd lib/elixir/scripts/windows_installer && ./build.sh)
-        mv lib/elixir/scripts/windows_installer/tmp/elixir-otp-${{ inputs.otp }}.exe .
+        mv "lib/elixir/scripts/windows_installer/tmp/elixir-otp-${INPUT_OTP}.exe" .
+      env:
+        INPUT_OTP: ${{ inputs.otp }}
+        INPUT_OTP_VERSION: ${{ inputs.otp_version }}
     - name: Get ExDoc ref
       if: ${{ inputs.build_docs }}
       shell: bash
       run: |
-        if [ "${{ github.ref_name }}" = "main" ]; then
+        if [ "$GITHUB_REF_NAME" = "main" ]; then
           ref=main
         else
           ref=v$(curl -s https://hex.pm/api/packages/ex_doc | jq --raw-output '.latest_stable_version')
