fix: use double quotes for environment variable assignments in workflows

- Updated environment variable assignments in multiple workflow files to use double quotes for consistency and to prevent potential issues with variable expansion. - Refactored echo commands to group multiple lines into a single block for improved readability in the following workflows: - release-goreleaser.yml - renovate_prune.yml - security-pr.yml - security-weekly-rebuild.yml - supply-chain-pr.yml - supply-chain-verify.yml - update-geolite2.yml - waf-integration.yml - weekly-nightly-promotion.yml
2026-02-08 10:18:40 +00:00
parent ef5efd2e33
commit ee48c2e716
25 changed files with 812 additions and 689 deletions
--- a/.github/workflows/nightly-build.yml
+++ b/.github/workflows/nightly-build.yml
@@ -57,7 +57,7 @@ jobs:
          # Check if there are differences between remote branches
          if git diff --quiet origin/nightly origin/development; then
            echo "No changes to sync from development to nightly"
-            echo "has_changes=false" >> $GITHUB_OUTPUT
+            echo "has_changes=false" >> "$GITHUB_OUTPUT"
          else
            echo "Syncing changes from development to nightly"
            # Fast-forward merge development into nightly
@@ -68,7 +68,7 @@ jobs:
            }
            # Force push to handle cases where nightly diverged from development
            git push --force origin nightly
-            echo "has_changes=true" >> $GITHUB_OUTPUT
+            echo "has_changes=true" >> "$GITHUB_OUTPUT"
          fi

  build-and-push-nightly:
@@ -93,7 +93,7 @@ jobs:
          fetch-depth: 0

      - name: Set lowercase image name
-        run: echo "IMAGE_NAME_LC=${IMAGE_NAME,,}" >> $GITHUB_ENV
+        run: echo "IMAGE_NAME_LC=${IMAGE_NAME,,}" >> "$GITHUB_ENV"

      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130  # v3.7.0
@@ -151,8 +151,8 @@ jobs:

      - name: Record nightly image digest
        run: |
-          echo "## 🧾 Nightly Image Digest" >> $GITHUB_STEP_SUMMARY
-          echo "- ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ steps.build.outputs.digest }}" >> $GITHUB_STEP_SUMMARY
+          echo "## 🧾 Nightly Image Digest" >> "$GITHUB_STEP_SUMMARY"
+          echo "- ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ steps.build.outputs.digest }}" >> "$GITHUB_STEP_SUMMARY"

      - name: Generate SBOM
        uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad  # v0.22.2
@@ -176,7 +176,7 @@ jobs:
      - name: Sign GHCR Image
        run: |
          echo "Signing GHCR nightly image with keyless signing..."
-          cosign sign --yes ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
+          cosign sign --yes "${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}"
          echo "✅ GHCR nightly image signed successfully"

      # Sign Docker Hub image with keyless signing (Sigstore/Fulcio)
@@ -184,7 +184,7 @@ jobs:
        if: env.HAS_DOCKERHUB_TOKEN == 'true'
        run: |
          echo "Signing Docker Hub nightly image with keyless signing..."
-          cosign sign --yes ${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
+          cosign sign --yes "${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}"
          echo "✅ Docker Hub nightly image signed successfully"

      # Attach SBOM to Docker Hub image
@@ -192,7 +192,7 @@ jobs:
        if: env.HAS_DOCKERHUB_TOKEN == 'true'
        run: |
          echo "Attaching SBOM to Docker Hub nightly image..."
-          cosign attach sbom --sbom sbom-nightly.json ${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
+          cosign attach sbom --sbom sbom-nightly.json "${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}"
          echo "✅ SBOM attached to Docker Hub nightly image"

  test-nightly-image:
@@ -209,7 +209,7 @@ jobs:
          ref: nightly

      - name: Set lowercase image name
-        run: echo "IMAGE_NAME_LC=${IMAGE_NAME,,}" >> $GITHUB_ENV
+        run: echo "IMAGE_NAME_LC=${IMAGE_NAME,,}" >> "$GITHUB_ENV"

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
@@ -219,13 +219,13 @@ jobs:
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Pull nightly image
-        run: docker pull ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ needs.build-and-push-nightly.outputs.digest }}
+        run: docker pull "${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ needs.build-and-push-nightly.outputs.digest }}"

      - name: Run container smoke test
        run: |
          docker run --name charon-nightly -d \
            -p 8080:8080 \
-            ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ needs.build-and-push-nightly.outputs.digest }}
+            "${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ needs.build-and-push-nightly.outputs.digest }}"

          # Wait for container to start
          sleep 10
@@ -263,7 +263,7 @@ jobs:
          ref: nightly

      - name: Set lowercase image name
-        run: echo "IMAGE_NAME_LC=${IMAGE_NAME,,}" >> $GITHUB_ENV
+        run: echo "IMAGE_NAME_LC=${IMAGE_NAME,,}" >> "$GITHUB_ENV"

      - name: Download SBOM
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131  # v7.0.0