fix(security): harden GitHub Actions workflows against expression injection (#407)

mnencia · web-flow · commit 14c758537ed8 · 2026-03-05T14:44:07.000+01:00
Move `${{ }}` expressions from `run:` blocks into step-level `env:` blocks, then reference them as properly-quoted shell variables. Part of cloudnative-pg/cloudnative-pg#10113 Assisted-by: Claude Opus 4.6 Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
diff --git a/.github/workflows/bake_targets.yml b/.github/workflows/bake_targets.yml
@@ -71,9 +71,12 @@ jobs:
 
       - name: Filter by versions
         id: extract_targets
+        env:
+          TARGETS_MATRIX: ${{ steps.targets.outputs.matrix }}
+          PG_VERSION: ${{ inputs.postgresql_version }}
         run: |
-          target=$(echo '${{ steps.targets.outputs.matrix }}' | jq -r '.[] | .[] | select(match("${{ inputs.postgresql_version }}"))' | xargs echo | sed 's/ /,/g')
-          echo "Targets for PostgreSQL ${{ inputs.postgresql_version }}: $target"
+          target=$(echo "${TARGETS_MATRIX}" | jq -r --arg v "${PG_VERSION}" '.[] | .[] | select(match($v))' | xargs echo | sed 's/ /,/g')
+          echo "Targets for PostgreSQL ${PG_VERSION}: $target"
           echo "filtered_targets=$target" >> "$GITHUB_OUTPUT"
 
       - name: Log in to the GitHub Container registry
@@ -113,8 +116,10 @@ jobs:
       # Get a list of the images that were built and pushed. We only care about a single tag for each image.
       - name: Generated images
         id: images
+        env:
+          BUILD_METADATA: ${{ steps.build.outputs.metadata }}
         run: |
-          echo "images=$(echo '${{ steps.build.outputs.metadata }}' | jq -c '[ .[]."image.name" | sub(",.*";"") ]')" >>  "$GITHUB_OUTPUT"
+          echo "images=$(echo "${BUILD_METADATA}" | jq -c '[ .[]."image.name" | sub(",.*";"") ]')" >>  "$GITHUB_OUTPUT"
 
       # Even if we're testing we sign the images, so we can push them to production later if that's required
       - name: Install cosign
@@ -123,8 +128,10 @@ jobs:
         # and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on
         # how to use cosign.
       - name: Sign images
+        env:
+          BUILD_METADATA: ${{ steps.build.outputs.metadata }}
         run: |
-          echo '${{ steps.build.outputs.metadata }}' | \
+          echo "${BUILD_METADATA}" | \
             jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"' | \
             xargs cosign sign --yes
 
