ci(e2e,release): harden shell expansion

wikkyk · claude · claude · commit 3ec4f3371a3a · 2026-04-08T21:07:30.000Z
Replace ${{ env.* }} expression interpolation with quoted shell
variable expansion to prevent potential command injection via
environment variables.

Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -43,7 +43,7 @@ jobs:
         run: echo 'SKIP_E2E=""' >> "$GITHUB_ENV"
 
       - name: Run e2e tests
-        run: "make test-e2e GINKGO_SKIP=${{ env.SKIP_E2E }}"
+        run: make test-e2e "GINKGO_SKIP=$SKIP_E2E"
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v7
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -26,7 +26,7 @@ jobs:
           go-version-file: go.mod
       - name: generate release artifacts
         run: |
-          make release-manifests RELEASE_VERSION=${{ env.RELEASE_TAG }}
+          make release-manifests "RELEASE_VERSION=$RELEASE_TAG"
       - name: generate release templates
         run: |
           make release-templates
