refactor: Use psql parameterized queries for user-setup Job

Replace shell variable interpolation with psql -v variables
and heredoc input to prevent SQL injection from user-provided
secret values.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: svor

bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml

@@ -86,7 +86,7 @@ metadata:
     categories: Developer Tools
     certified: "false"
     containerImage: quay.io/eclipse/che-operator:next
-    createdAt: "2026-06-17T11:32:24Z"
+    createdAt: "2026-06-17T15:00:32Z"
     description: A Kube-native development solution that delivers portable and collaborative
       developer workspaces.
     features.operators.openshift.io/cnf: "false"
@@ -108,7 +108,7 @@ metadata:
     operatorframework.io/arch.amd64: supported
     operatorframework.io/arch.arm64: supported
     operatorframework.io/os.linux: supported
-  name: eclipse-che.v7.119.0-1021.next
+  name: eclipse-che.v7.119.0-1023.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -1166,7 +1166,7 @@ spec:
       name: openvsx
     - image: quay.io/sclorg/postgresql-16-c9s:20260319
       name: openvsx-postgres
-  version: 7.119.0-1021.next
+  version: 7.119.0-1023.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1

pkg/deploy/openvsx/server/openvsx_server.go

@@ -302,8 +302,31 @@ func (r *OpenVSXServerReconciler) syncUserSetupJob(ctx *chetypes.DeployContext)
 								envFromSecret("OPENVSX_ADMIN_NAME", secretName, "admin-name"),
 								envFromSecret("OPENVSX_ADMIN_PAT", secretName, "admin-token"),
 							),
-							Command: []string{"sh", "-c",
-								`psql -c "INSERT INTO user_data (id, login_name, role) VALUES (1001, '$OPENVSX_USER_NAME', 'privileged') ON CONFLICT (id) DO NOTHING; INSERT INTO personal_access_token (id, user_data, value, active, created_timestamp, accessed_timestamp, description, notified) VALUES (1001, 1001, '$OPENVSX_USER_PAT', true, current_timestamp, current_timestamp, 'extensions publisher', false) ON CONFLICT (id) DO NOTHING; INSERT INTO user_data (id, login_name, role) VALUES (1002, '$OPENVSX_ADMIN_NAME', 'admin') ON CONFLICT (id) DO NOTHING; INSERT INTO personal_access_token (id, user_data, value, active, created_timestamp, accessed_timestamp, description, notified) VALUES (1002, 1002, '$OPENVSX_ADMIN_PAT', true, current_timestamp, current_timestamp, 'Admin API Token', false) ON CONFLICT (id) DO NOTHING;"`,
+							Command: []string{"sh", "-c", `
+psql \
+  -v user_name="$OPENVSX_USER_NAME" \
+  -v user_pat="$OPENVSX_USER_PAT" \
+  -v admin_name="$OPENVSX_ADMIN_NAME" \
+  -v admin_pat="$OPENVSX_ADMIN_PAT" \
+  <<'EOSQL'
+INSERT INTO user_data (id, login_name, role)
+  VALUES (1001, :'user_name', 'privileged')
+  ON CONFLICT (id) DO NOTHING;
+
+INSERT INTO personal_access_token
+  (id, user_data, value, active, created_timestamp, accessed_timestamp, description, notified)
+  VALUES (1001, 1001, :'user_pat', true, current_timestamp, current_timestamp, 'extensions publisher', false)
+  ON CONFLICT (id) DO NOTHING;
+
+INSERT INTO user_data (id, login_name, role)
+  VALUES (1002, :'admin_name', 'admin')
+  ON CONFLICT (id) DO NOTHING;
+
+INSERT INTO personal_access_token
+  (id, user_data, value, active, created_timestamp, accessed_timestamp, description, notified)
+  VALUES (1002, 1002, :'admin_pat', true, current_timestamp, current_timestamp, 'Admin API Token', false)
+  ON CONFLICT (id) DO NOTHING;
+EOSQL`,
 							},
 						},
 					},