fix review findings: shell injection, POSIX grep, .md coverage, CI wording

cderv · cderv · commit a4f07f22cad9 · 2026-04-13T16:12:10.000+02:00
- Use env var instead of expression interpolation for changed-files input
  in composite action (shell injection risk)
- Replace \s with POSIX [[:space:]] in grep pattern (portability)
- Include .md files in draft detection (draft-check.yml and composite action)
- Fix CI section in blog post: v1.9 shows deprecation warning, v1.10
  does the transparent redirect
diff --git a/.github/workflows/actions/detect-drafts/action.yml b/.github/workflows/actions/detect-drafts/action.yml
@@ -1,5 +1,5 @@
 name: 'Detect Draft Pages'
-description: 'Scan changed .qmd files for draft: true in YAML frontmatter'
+description: 'Scan changed .qmd and .md files for draft: true in YAML frontmatter'
 inputs:
   changed-files:
     description: 'JSON array of changed file paths (from tj-actions/changed-files)'
@@ -15,11 +15,12 @@ runs:
   using: composite
   steps:
     - id: detect
+      env:
+        CHANGED_FILES: ${{ inputs.changed-files }}
       run: |
-        CHANGED='${{ inputs.changed-files }}'
-        DRAFTS=$(echo "$CHANGED" | jq -r '.[]' | while read -r file; do
-          if [[ "$file" == *.qmd ]] && [ -f "$file" ]; then
-            if sed -n '/^---$/,/^---$/p' "$file" | grep -qE '^\s*draft:\s*true\s*$'; then
+        DRAFTS=$(echo "$CHANGED_FILES" | jq -r '.[]' | while read -r file; do
+          if [[ "$file" == *.qmd || "$file" == *.md ]] && [ -f "$file" ]; then
+            if sed -n '/^---$/,/^---$/p' "$file" | grep -qE '^[[:space:]]*draft:[[:space:]]*true[[:space:]]*$'; then
               echo "$file"
             fi
           fi
diff --git a/.github/workflows/draft-check.yml b/.github/workflows/draft-check.yml
@@ -17,6 +17,7 @@ jobs:
         with:
           files: |
             docs/**/*.qmd
+            docs/**/*.md
           json: true
           escape_json: false
 
diff --git a/docs/blog/posts/2026-04-13-chrome-headless-shell/index.qmd b/docs/blog/posts/2026-04-13-chrome-headless-shell/index.qmd
@@ -51,7 +51,7 @@ Running `quarto check install` will warn you if a legacy Chromium installation i
 
 ### CI and automation
 
-If your CI pipeline uses `quarto install chromium --no-prompt`, it will continue to work — the command transparently redirects to Chrome Headless Shell. No changes are required, but updating your scripts to use `quarto install chrome-headless-shell --no-prompt` makes the intent clearer and avoids the deprecation warning.
+If your CI pipeline uses `quarto install chromium --no-prompt`, it will continue to work — the command still installs a working headless browser, but now shows a deprecation warning. Updating your scripts to `quarto install chrome-headless-shell --no-prompt` avoids the warning and uses the new tool directly. In Quarto 1.10, `quarto install chromium` will transparently redirect to Chrome Headless Shell, so either command will produce the same result.
 
 ## What's next
 
