Merge commit from fork

WorldSEnder · web-flow · commit 73a970b3df3b · 2026-03-27T10:50:03.000+01:00
* fix: variable interpolation/injection in scripts

github actions variable interpolation works differently than
interpolation in bash syntax. The only safe way for untrusted user input
is in general to store it in an env variable for scripts to access and use
plain old bash string interpolation.
The place where variables are still interpolated 'raw' are places that are
either guaranteed to be a commit hash, or a number, as per github action
inputs.

* be resilient against expansion in 'publish' workflow

even though this requires elevated access, pass event input as
an environment variable in the 'publish' workflow to avoid injection
of arbitrary commands frrom the input string
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
@@ -123,7 +123,9 @@ jobs:
 
       - name: Run js-framework-benchmark/webdriver-ts npm run bench
         working-directory: js-framework-benchmark/webdriver-ts
-        run: xvfb-run npm run bench -- --framework keyed/yew keyed/yew-hooks --runner playwright --chromeBinary "${{ steps.setup-chrome.outputs.chrome-path }}"
+        run: xvfb-run npm run bench -- --framework keyed/yew keyed/yew-hooks --runner playwright --chromeBinary "$CHROME_PATH"
+        env:
+          CHROME_PATH: ${{ steps.setup-chrome.outputs.chrome-path }}
 
       - name: Transform results to be fit for display benchmark-action/github-action-benchmark@v1
         run: |
diff --git a/.github/workflows/main-checks.yml b/.github/workflows/main-checks.yml
@@ -105,14 +105,14 @@ jobs:
       - name: Run tests - yew
         run: |
           cd packages/yew
-          CHROMEDRIVER=$(which chromedriver) cargo test --features csr,hydration,ssr,test --target wasm32-unknown-unknown
-          GECKODRIVER=$(which geckodriver) cargo test --features csr,hydration,ssr,test --target wasm32-unknown-unknown
+          CHROMEDRIVER="$(which chromedriver)" cargo test --features csr,hydration,ssr,test --target wasm32-unknown-unknown
+          GECKODRIVER="$(which geckodriver)" cargo test --features csr,hydration,ssr,test --target wasm32-unknown-unknown
 
       - name: Run tests - yew-router
         run: |
           cd packages/yew-router
-          CHROMEDRIVER=$(which chromedriver) cargo test --target wasm32-unknown-unknown
-          GECKODRIVER=$(which geckodriver) cargo test --target wasm32-unknown-unknown
+          CHROMEDRIVER="$(which chromedriver)" cargo test --target wasm32-unknown-unknown
+          GECKODRIVER="$(which geckodriver)" cargo test --target wasm32-unknown-unknown
 
   unit_tests:
     name: Unit Tests on ${{ matrix.toolchain }}
diff --git a/.github/workflows/publish-api-docs.yml b/.github/workflows/publish-api-docs.yml
@@ -40,8 +40,11 @@ jobs:
             exit 1
           fi
           echo "PR_NUMBER=$pr_number" >> $GITHUB_ENV
-          echo "PR_BRANCH=${{ github.event.workflow_run.head_branch }}" >> $GITHUB_ENV
-          echo "COMMIT_SHA=${{ github.event.workflow_run.head_sha }}" >> $GITHUB_ENV
+          echo "PR_BRANCH=$PR_BRANCH" >> $GITHUB_ENV
+          echo "COMMIT_SHA=$COMMIT_SHA" >> $GITHUB_ENV
+        env:
+          PR_BRANCH: ${{ github.event.workflow_run.head_branch }}
+          COMMIT_SHA: ${{ github.event.workflow_run.head_sha }}
 
       - if: github.event.workflow_run.event == 'push'
         name: Apply push environment
@@ -59,5 +62,5 @@ jobs:
           commentURLPath: "/next/yew"
           # PR information
           prNumber: "${{ env.PR_NUMBER }}"
-          prBranchName: "${{ env.PR_BRANCH }}"
+          prBranchName: ${{ env.PR_BRANCH }}
           commitSHA: "${{ env.COMMIT_SHA }}"
diff --git a/.github/workflows/publish-website.yml b/.github/workflows/publish-website.yml
@@ -40,8 +40,11 @@ jobs:
             exit 1
           fi
           echo "PR_NUMBER=$pr_number" >> $GITHUB_ENV
-          echo "PR_BRANCH=${{ github.event.workflow_run.head_branch }}" >> $GITHUB_ENV
-          echo "COMMIT_SHA=${{ github.event.workflow_run.head_sha }}" >> $GITHUB_ENV
+          echo "PR_BRANCH=$PR_BRANCH" >> $GITHUB_ENV
+          echo "COMMIT_SHA=$COMMIT_SHA" >> $GITHUB_ENV
+        env:
+          PR_BRANCH: ${{ github.event.workflow_run.head_branch }}
+          COMMIT_SHA: ${{ github.event.workflow_run.head_sha }}
 
       - if: github.event.workflow_run.event == 'push'
         name: Apply push environment
@@ -59,5 +62,5 @@ jobs:
           commentURLPath: "/docs/next"
           # PR information
           prNumber: "${{ env.PR_NUMBER }}"
-          prBranchName: "${{ env.PR_BRANCH }}"
+          prBranchName: ${{ env.PR_BRANCH }}
           commitSHA: "${{ env.COMMIT_SHA }}"
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -47,26 +47,25 @@ jobs:
           version: =1.1.1
 
       - name: Cargo login
-        run: cargo login ${{ secrets.CRATES_IO_TOKEN }}
+        run: echo ${{ secrets.CRATES_IO_TOKEN }} | cargo login
 
-      - name: Build command
+      - name: Release yew
         shell: bash
         env:
           PACKAGES: ${{ github.event.inputs.packages }}
+          LEVEL: ${{ github.event.inputs.level }}
         run: |
-          output=""
-          for pkg in ${{ github.event.inputs.packages }}
-          do
-            output+="--package $pkg " 
+          arguments=()
+          for pkg in $PACKAGES; do
+            arguments+=("--package" "$pkg")
           done
-          echo "pkg=$output" >> $GITHUB_ENV
-
-      - name: Release yew
-        run: cargo release ${{ github.event.inputs.level }} --execute --no-confirm ${{ env.pkg }}
+          cargo release "$LEVEL" --execute --no-confirm "${arguments[@]}"
 
       - name: Collect release info
         id: releaseinfo
-        run: cargo run -p collect-release-info -- ${{ github.event.inputs.packages }}
+        env:
+          PACKAGES: ${{ github.event.inputs.packages }}
+        run: cargo run -p collect-release-info -- $PACKAGES
 
       - name: Create a version branch
         if: github.event.inputs.level != 'patch'
