fix: use double quotes for environment variable assignments in workflows

- Updated environment variable assignments in multiple workflow files to use double quotes for consistency and to prevent potential issues with variable expansion. - Refactored echo commands to group multiple lines into a single block for improved readability in the following workflows: - release-goreleaser.yml - renovate_prune.yml - security-pr.yml - security-weekly-rebuild.yml - supply-chain-pr.yml - supply-chain-verify.yml - update-geolite2.yml - waf-integration.yml - weekly-nightly-promotion.yml
2026-02-08 10:18:40 +00:00
parent ef5efd2e33
commit ee48c2e716
25 changed files with 812 additions and 689 deletions
--- a/.github/workflows/rate-limit-integration.yml
+++ b/.github/workflows/rate-limit-integration.yml
@@ -3,6 +3,9 @@ name: Rate Limit integration
 # Phase 2-3: Build Once, Test Many - Use registry image instead of building
 # This workflow now waits for docker-build.yml to complete and pulls the built image
 on:
+  workflow_run:
+    workflows: ["Docker Build, Publish & Test"]
+    types: [completed]
  workflow_dispatch:
    inputs:
      image_tag:
@@ -40,12 +43,15 @@ jobs:
          # Manual trigger uses provided tag
          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
            if [[ -n "$MANUAL_TAG" ]]; then
-              echo "tag=${MANUAL_TAG}" >> $GITHUB_OUTPUT
+              TAG_VALUE="$MANUAL_TAG"
            else
              # Default to latest if no tag provided
-              echo "tag=latest" >> $GITHUB_OUTPUT
+              TAG_VALUE="latest"
            fi
-            echo "source_type=manual" >> $GITHUB_OUTPUT
+            {
+              echo "tag=${TAG_VALUE}"
+              echo "source_type=manual"
+            } >> "$GITHUB_OUTPUT"
            exit 0
          fi

@@ -72,16 +78,20 @@ jobs:
            fi

            # Immutable tag with SHA suffix prevents race conditions
-            echo "tag=pr-${PR_NUM}-${SHORT_SHA}" >> $GITHUB_OUTPUT
-            echo "source_type=pr" >> $GITHUB_OUTPUT
+            {
+              echo "tag=pr-${PR_NUM}-${SHORT_SHA}"
+              echo "source_type=pr"
+            } >> "$GITHUB_OUTPUT"
          else
            # Non-PR workflow_run uses short SHA tag (matches docker-build.yml)
-            echo "tag=sha-${SHORT_SHA}" >> $GITHUB_OUTPUT
-            echo "source_type=sha" >> $GITHUB_OUTPUT
+            {
+              echo "tag=sha-${SHORT_SHA}"
+              echo "source_type=sha"
+            } >> "$GITHUB_OUTPUT"
          fi

-          echo "sha=${SHORT_SHA}" >> $GITHUB_OUTPUT
-          echo "Determined image tag: $(cat $GITHUB_OUTPUT | grep tag=)"
+          echo "sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
+          echo "Determined image tag: $(grep tag= "$GITHUB_OUTPUT")"

      # Pull image from Docker Hub with retry logic
      - name: Pull Docker image from registry
@@ -119,69 +129,72 @@ jobs:
        run: |
          chmod +x scripts/rate_limit_integration.sh
          scripts/rate_limit_integration.sh 2>&1 | tee ratelimit-test-output.txt
-          exit ${PIPESTATUS[0]}
+          exit "${PIPESTATUS[0]}"

      - name: Dump Debug Info on Failure
        if: failure()
        run: |
-          echo "## 🔍 Debug Information" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
+          {
+            echo "## 🔍 Debug Information"
+            echo ""

-          echo "### Container Status" >> $GITHUB_STEP_SUMMARY
-          echo '```' >> $GITHUB_STEP_SUMMARY
-          docker ps -a --filter "name=charon" --filter "name=ratelimit" --filter "name=backend" >> $GITHUB_STEP_SUMMARY 2>&1 || true
-          echo '```' >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### Container Status"
+            echo '```'
+            docker ps -a --filter "name=charon" --filter "name=ratelimit" --filter "name=backend" 2>&1 || true
+            echo '```'
+            echo ""

-          echo "### Security Config API" >> $GITHUB_STEP_SUMMARY
-          echo '```json' >> $GITHUB_STEP_SUMMARY
-          curl -s http://localhost:8280/api/v1/security/config 2>/dev/null | head -100 >> $GITHUB_STEP_SUMMARY || echo "Could not retrieve security config" >> $GITHUB_STEP_SUMMARY
-          echo '```' >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### Security Config API"
+            echo '```json'
+            curl -s http://localhost:8280/api/v1/security/config 2>/dev/null | head -100 || echo "Could not retrieve security config"
+            echo '```'
+            echo ""

-          echo "### Security Status API" >> $GITHUB_STEP_SUMMARY
-          echo '```json' >> $GITHUB_STEP_SUMMARY
-          curl -s http://localhost:8280/api/v1/security/status 2>/dev/null | head -100 >> $GITHUB_STEP_SUMMARY || echo "Could not retrieve security status" >> $GITHUB_STEP_SUMMARY
-          echo '```' >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### Security Status API"
+            echo '```json'
+            curl -s http://localhost:8280/api/v1/security/status 2>/dev/null | head -100 || echo "Could not retrieve security status"
+            echo '```'
+            echo ""

-          echo "### Caddy Admin Config (rate_limit handlers)" >> $GITHUB_STEP_SUMMARY
-          echo '```json' >> $GITHUB_STEP_SUMMARY
-          curl -s http://localhost:2119/config 2>/dev/null | grep -A 20 '"handler":"rate_limit"' | head -30 >> $GITHUB_STEP_SUMMARY || echo "Could not retrieve Caddy config" >> $GITHUB_STEP_SUMMARY
-          echo '```' >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### Caddy Admin Config (rate_limit handlers)"
+            echo '```json'
+            curl -s http://localhost:2119/config 2>/dev/null | grep -A 20 '"handler":"rate_limit"' | head -30 || echo "Could not retrieve Caddy config"
+            echo '```'
+            echo ""

-          echo "### Charon Container Logs (last 100 lines)" >> $GITHUB_STEP_SUMMARY
-          echo '```' >> $GITHUB_STEP_SUMMARY
-          docker logs charon-ratelimit-test 2>&1 | tail -100 >> $GITHUB_STEP_SUMMARY || echo "No container logs available" >> $GITHUB_STEP_SUMMARY
-          echo '```' >> $GITHUB_STEP_SUMMARY
+            echo "### Charon Container Logs (last 100 lines)"
+            echo '```'
+            docker logs charon-ratelimit-test 2>&1 | tail -100 || echo "No container logs available"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"

      - name: Rate Limit Integration Summary
        if: always()
        run: |
-          echo "## ⏱️ Rate Limit Integration Test Results" >> $GITHUB_STEP_SUMMARY
-          if [ "${{ steps.ratelimit-test.outcome }}" == "success" ]; then
-            echo "✅ **All rate limit tests passed**" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "### Test Results:" >> $GITHUB_STEP_SUMMARY
-            echo '```' >> $GITHUB_STEP_SUMMARY
-            grep -E "✓|=== ALL|HTTP 429|HTTP 200" ratelimit-test-output.txt | head -30 || echo "See logs for details"
-            grep -E "✓|=== ALL|HTTP 429|HTTP 200" ratelimit-test-output.txt | head -30 >> $GITHUB_STEP_SUMMARY || echo "See logs for details" >> $GITHUB_STEP_SUMMARY
-            echo '```' >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "### Verified Behaviors:" >> $GITHUB_STEP_SUMMARY
-            echo "- Requests within limit return HTTP 200" >> $GITHUB_STEP_SUMMARY
-            echo "- Requests exceeding limit return HTTP 429" >> $GITHUB_STEP_SUMMARY
-            echo "- Retry-After header present on blocked responses" >> $GITHUB_STEP_SUMMARY
-            echo "- Rate limit window resets correctly" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "❌ **Rate limit tests failed**" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "### Failure Details:" >> $GITHUB_STEP_SUMMARY
-            echo '```' >> $GITHUB_STEP_SUMMARY
-            grep -E "✗|FAIL|Error|failed|expected" ratelimit-test-output.txt | head -30 >> $GITHUB_STEP_SUMMARY || echo "See logs for details" >> $GITHUB_STEP_SUMMARY
-            echo '```' >> $GITHUB_STEP_SUMMARY
-          fi
+          {
+            echo "## ⏱️ Rate Limit Integration Test Results"
+            if [ "${{ steps.ratelimit-test.outcome }}" == "success" ]; then
+              echo "✅ **All rate limit tests passed**"
+              echo ""
+              echo "### Test Results:"
+              echo '```'
+              grep -E "✓|=== ALL|HTTP 429|HTTP 200" ratelimit-test-output.txt | head -30 || echo "See logs for details"
+              echo '```'
+              echo ""
+              echo "### Verified Behaviors:"
+              echo "- Requests within limit return HTTP 200"
+              echo "- Requests exceeding limit return HTTP 429"
+              echo "- Retry-After header present on blocked responses"
+              echo "- Rate limit window resets correctly"
+            else
+              echo "❌ **Rate limit tests failed**"
+              echo ""
+              echo "### Failure Details:"
+              echo '```'
+              grep -E "✗|FAIL|Error|failed|expected" ratelimit-test-output.txt | head -30 || echo "See logs for details"
+              echo '```'
+            fi
+          } >> "$GITHUB_STEP_SUMMARY"

      - name: Cleanup
        if: always()