chore: try to prevent shell escaping

Author: rjaegers

.github/workflows/wc-build-push.yml

@@ -126,9 +126,15 @@ jobs:
         working-directory: ${{ runner.temp }}/digests
         run: |
           set -Eeuo pipefail
+
+          annotations=$(echo '${{ steps.metadata.outputs.json }}' | jq -r '.annotations[]')
+          for annotation in $annotations; do
+            annotation_arguments+=(--annotation "$annotation")
+          done
+
           # shellcheck disable=SC2046
           docker buildx imagetools create \
-            $(echo '${{ steps.metadata.outputs.json }}' | jq -r '.annotations | map("--annotation \"" + . + "\"") | join(" ")') \
+            "${annotation_arguments[@]}" \
             $(echo '${{ steps.metadata.outputs.json }}' | jq -r '.tags | map("--tag " + .) | join(" ")') \
             $(printf '${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}@sha256:%s ' *)
       - name: Inspect manifest and extract digest