ci(docker): harden env variable usage

ReenigneArcher · ReenigneArcher · commit ff37c31c8f70 · 2025-09-22T22:14:39.000-04:00
diff --git a/.github/workflows/__call-docker.yml b/.github/workflows/__call-docker.yml
@@ -147,43 +147,40 @@ jobs:
       - name: Prepare
         id: prepare
         env:
-          NV: ${{ inputs.release_tag }}
+          BRANCH: ${{ github.ref }}
+          COMMIT: ${{ inputs.release_commit }}
+          NEW_TAG: ${{ inputs.release_tag }}
         run: |
-          # get branch name
-          BRANCH=${GITHUB_HEAD_REF}
+          # get variables
+          branch="${BRANCH}"
+          commit="${COMMIT}"
+          clone_url="${{ github.event.repository.clone_url }}"
 
-          RELEASE="${{ inputs.publish_release }}"
-          COMMIT="${{ inputs.release_commit }}"
-
-          if [ -z "${BRANCH}" ]; then
+          if [ "${{ github.event_name }}" == "push" ]; then
             echo "This is a PUSH event"
-            BRANCH="${{ github.ref_name }}"
-            CLONE_URL="${{ github.event.repository.clone_url }}"
-          else
-            echo "This is a PULL REQUEST event"
-            CLONE_URL="${{ github.event.pull_request.head.repo.clone_url }}"
+            branch="${{ github.ref_name }}"
           fi
 
           # setup the tags
           BASE_TAG="${{ needs.check_dockerfiles.outputs.base_tag }}"
 
-          TAGS="${BASE_TAG}:${COMMIT:0:7}${{ matrix.tag }},ghcr.io/${BASE_TAG}:${COMMIT:0:7}${{ matrix.tag }}"
+          TAGS="${BASE_TAG}:${commit:0:7}${{ matrix.tag }},ghcr.io/${BASE_TAG}:${commit:0:7}${{ matrix.tag }}"
 
-          if [[ "${GITHUB_REF}" == refs/heads/master ]]; then
+          if [[ "${branch}" == refs/heads/master ]]; then
             TAGS="${TAGS},${BASE_TAG}:latest${{ matrix.tag }},ghcr.io/${BASE_TAG}:latest${{ matrix.tag }}"
             TAGS="${TAGS},${BASE_TAG}:master${{ matrix.tag }},ghcr.io/${BASE_TAG}:master${{ matrix.tag }}"
           else
             TAGS="${TAGS},${BASE_TAG}:test${{ matrix.tag }},ghcr.io/${BASE_TAG}:test${{ matrix.tag }}"
           fi
 
-          if [[ "${NV}" != "" ]]; then
-            TAGS="${TAGS},${BASE_TAG}:${NV}${{ matrix.tag }},ghcr.io/${BASE_TAG}:${NV}${{ matrix.tag }}"
+          if [[ "${NEW_TAG}" != "" ]]; then
+            TAGS="${TAGS},${BASE_TAG}:${NEW_TAG}${{ matrix.tag }},ghcr.io/${BASE_TAG}:${NEW_TAG}${{ matrix.tag }}"
           fi
 
           # parse custom directives out of dockerfile
           # try to get the platforms from the dockerfile custom directive, i.e. `# platforms: xxx,yyy`
           # directives for PR event, i.e. not push event
-          if [[ "${RELEASE}" == "false" ]]; then
+          if [ "${{ github.event_name }}" == "pull_request" ]; then
             while read -r line; do
               if [[ $line == "# platforms_pr: "* && $PLATFORMS == "" ]]; then
                 # echo the line and use `sed` to remove the custom directive
@@ -221,9 +218,9 @@ jobs:
           fi
 
           {
-            echo "branch=${BRANCH}";
+            echo "branch=${branch}";
             echo "build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')";
-            echo "clone_url=${CLONE_URL}";
+            echo "clone_url=${clone_url}";
             echo "artifacts=${ARTIFACTS}";
             echo "no_cache_filters=${NO_CACHE_FILTERS}";
             echo "platforms=${PLATFORMS}";
