Merge pull request #1578 from jetstreamapp/fix/ci-command-vulnerability

paustint · web-flow · commit 31cfbbfa47e3 · 2026-03-11T09:05:47.000-07:00
fix: avoid interpolation in ci commands
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -73,12 +73,17 @@ jobs:
 
     steps:
       - name: Validate inputs
+        env:
+          REF_NAME: ${{ github.ref_name }}
+          RELEASE_WEB: ${{ inputs.release_web }}
+          RELEASE_WEB_EXTENSION: ${{ inputs.release_web_extension }}
+          RELEASE_DESKTOP: ${{ inputs.release_desktop }}
         run: |
-          if [[ "${{ github.ref_name }}" != "main" ]]; then
-            echo "Error: This workflow can only be run on the main branch. Current branch: ${{ github.ref_name }}"
+          if [[ "$REF_NAME" != "main" ]]; then
+            echo "Error: This workflow can only be run on the main branch. Current branch: $REF_NAME"
             exit 1
           fi
-          if [[ "${{ inputs.release_web }}" != "true" && "${{ inputs.release_web_extension }}" != "true" && "${{ inputs.release_desktop }}" != "true" ]]; then
+          if [[ "$RELEASE_WEB" != "true" && "$RELEASE_WEB_EXTENSION" != "true" && "$RELEASE_DESKTOP" != "true" ]]; then
             echo "Error: At least one of release_web, release_web_extension, or release_desktop must be true."
             exit 1
           fi
@@ -125,9 +130,10 @@ jobs:
       - name: Release Web
         if: ${{ inputs.release_web }}
         id: release_web
-        run: npx release-it ${{ inputs.bump }} --ci --config .release-it.json
         env:
           GITHUB_TOKEN: ${{ secrets.GH_RELEASE_TOKEN }}
+          BUMP: ${{ inputs.bump }}
+        run: npx release-it "$BUMP" --ci --config .release-it.json
 
       - name: Debug dirty working dir
         if: failure() && steps.release_web.outcome == 'failure'
@@ -158,13 +164,14 @@ jobs:
       # NOTE: Each application has its own tag format - so it is safe to have release-it run multiple times
       - name: Release Web Extension
         if: ${{ inputs.release_web_extension }}
-        run: npx release-it ${{ inputs.bump }} --ci --config .release-it-web-ext.json
         env:
           GITHUB_TOKEN: ${{ secrets.GH_RELEASE_TOKEN }}
+          BUMP: ${{ inputs.bump }}
           WEB_EXTENSION_ID_CHROME: ${{ secrets.WEB_EXTENSION_ID_CHROME }}
           GOOGLE_WEB_EXT_PUBLISH_CLIENT_ID: ${{ secrets.GOOGLE_WEB_EXT_PUBLISH_CLIENT_ID }}
           GOOGLE_WEB_EXT_PUBLISH_CLIENT_SECRET: ${{ secrets.GOOGLE_WEB_EXT_PUBLISH_CLIENT_SECRET }}
           GOOGLE_WEB_EXT_PUBLISH_REFRESH_TOKEN: ${{ secrets.GOOGLE_WEB_EXT_PUBLISH_REFRESH_TOKEN }}
+        run: npx release-it "$BUMP" --ci --config .release-it-web-ext.json
 
       - name: Upload web extension zips
         if: ${{ inputs.release_web_extension }}
@@ -178,6 +185,7 @@ jobs:
       # NOTE: Each application has its own tag format - so it is safe to have release-it run multiple times
       - name: Release Desktop
         if: ${{ inputs.release_desktop }}
-        run: npx release-it ${{ inputs.bump }} --ci --config .release-it-desktop.json
         env:
           GITHUB_TOKEN: ${{ secrets.GH_RELEASE_TOKEN }}
+          BUMP: ${{ inputs.bump }}
+        run: npx release-it "$BUMP" --ci --config .release-it-desktop.json
