Harden against template injection attacks in GHA workflows

caxu-rh · acornett21 · commit e94099cec12a · 2026-06-15T11:25:52.000-07:00
Signed-off-by: Caleb Xu &lt;caxu@redhat.com&gt;
diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml
@@ -31,7 +31,7 @@ jobs:
       run: echo "RELEASE_TAG=$(git describe --abbrev=0 --tags)" >> "${GITHUB_ENV}"
 
     - name: set short sha
-      run: echo SHA_SHORT=$(git rev-parse --short HEAD) >> $GITHUB_ENV
+      run: echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}"
 
     - name: Set up QEMU
       uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
@@ -65,7 +65,9 @@ jobs:
         password: ${{ secrets.REGISTRY_PASSWORD }}
 
     - name: Print image url
-      run: echo "Image pushed to ${{ steps.push-image.outputs.registry-paths }}"
+      run: echo "Image pushed to ${REGISTRY_PATHS}"
+      env:
+        REGISTRY_PATHS: ${{ steps.push-image.outputs.registry-paths }}
     
     outputs:
       imageName: ${{ env.IMAGE_NAME }}
diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
@@ -28,7 +28,7 @@ jobs:
         persist-credentials: false
 
     - name: Set Env Tags
-      run: echo RELEASE_TAG=$(echo $GITHUB_REF | cut -d '/' -f 3) >> $GITHUB_ENV
+      run: echo "RELEASE_TAG=$(echo "${GITHUB_REF}" | cut -d '/' -f 3)" >> "${GITHUB_ENV}"
 
     - name: Set up QEMU
       uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
@@ -61,7 +61,9 @@ jobs:
         password: ${{ secrets.REGISTRY_PASSWORD }}
 
     - name: Print image url
-      run: echo "Image pushed to ${{ steps.push-image.outputs.registry-paths }}"
+      run: echo "Image pushed to ${REGISTRY_PATHS}"
+      env:
+        REGISTRY_PATHS: ${{ steps.push-image.outputs.registry-paths }}
 
     outputs:
       imageName: ${{ env.IMAGE_NAME }}
