remove potentially not secure template expansions

https://docs.zizmor.sh/audits/#template-injection

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28982)

diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml
index dd1782e308a59883e8d8aea61463bcf478ed7cf9..d195b716155f71173af3e589c6abd979d160643e 100644 (file)
--- a/.github/workflows/coveralls.yml
+++ b/.github/workflows/coveralls.yml
@@ -31,12 +31,15 @@ jobs:
     steps:
       - name: Define branches
         id: branches
+        env:
+          GITHUB_EVENT_INPUTS_BRANCH: ${{ github.event.inputs.branch }}
+          GITHUB_EVENT_INPUTS_EXTRA_CONFIG: ${{ github.event.inputs.extra_config }}
         run: |
           if [ "${{ github.event_name}}" = "workflow_dispatch" ]; then
           MATRIX=$(cat << EOF
           [{
-            "branch": "${{ github.event.inputs.branch }}",
-            "extra_config": "${{ github.event.inputs.extra_config }}"
+            "branch": "${GITHUB_EVENT_INPUTS_BRANCH}",
+            "extra_config": "${GITHUB_EVENT_INPUTS_EXTRA_CONFIG}"
           }]
           EOF
           )

diff --git a/.github/workflows/deploy-docs-openssl-org.yml b/.github/workflows/deploy-docs-openssl-org.yml
index e71b1f1539773f5fad548507c5afdef583a57989..e3fd909bc6c090bef380d37dc8399bde57f7b81a 100644 (file)
--- a/.github/workflows/deploy-docs-openssl-org.yml
+++ b/.github/workflows/deploy-docs-openssl-org.yml
@@ -17,7 +17,7 @@ jobs:
     steps:
       - name: "Trigger deployment workflow"
         run: |
-          gh workflow run -f branch=${{ github.ref_name }} deploy-site.yaml
+          gh workflow run -f branch=${GITHUB_REF_NAME} deploy-site.yaml
           sleep 3
           RUN_ID=$(gh run list -w deploy-site.yaml -L 1 --json databaseId -q ".[0].databaseId")
           gh run watch ${RUN_ID} --exit-status

diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml
index 038ffad8774846be41a1e8f4305db5472773e15b..e9543b77b636d34bed57bb1143c6f0a3509ab604 100644 (file)
--- a/.github/workflows/make-release.yml
+++ b/.github/workflows/make-release.yml
@@ -29,17 +29,19 @@ jobs:
         path: ${{ github.ref_name }}
         persist-credentials: false
     - name: "Prepare assets"
+      env:
+        SIGNING_KEY_UID: ${{ vars.signing_key_uid }}
       run: |
-        cd ${{ github.ref_name }}
+        cd "$GITHUB_REF_NAME"
         ./util/mktar.sh
-        mkdir assets && mv ${{ github.ref_name }}.tar.gz assets/ && cd assets
-        openssl sha1 -r ${{ github.ref_name }}.tar.gz > ${{ github.ref_name }}.tar.gz.sha1
-        openssl sha256 -r ${{ github.ref_name }}.tar.gz > ${{ github.ref_name }}.tar.gz.sha256
-        gpg -u ${{ vars.signing_key_uid }} -o ${{ github.ref_name }}.tar.gz.asc -sba ${{ github.ref_name }}.tar.gz
+        mkdir -p assets && mv "$GITHUB_REF_NAME.tar.gz" assets/ && cd assets
+        openssl sha1 -r "$GITHUB_REF_NAME.tar.gz" > "$GITHUB_REF_NAME.tar.gz.sha1"
+        openssl sha256 -r "$GITHUB_REF_NAME.tar.gz" > "$GITHUB_REF_NAME.tar.gz.sha256"
+        gpg -u "$SIGNING_KEY_UID" -o "$GITHUB_REF_NAME.tar.gz.asc" -sba "$GITHUB_REF_NAME.tar.gz"
     - name: "Create release"
       env:
         GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
       run: |
-        VERSION=$(echo ${{ github.ref_name }} | cut -d "-" -f 2-)
-        PRE_RELEASE=$([[ ${{ github.ref_name }} =~ alpha|beta ]] && echo "-p" || echo "")
-        gh release create ${{ github.ref_name }} $PRE_RELEASE -t "OpenSSL $VERSION" -d --notes " " -R ${{ github.repository }} ${{ github.ref_name }}/assets/*
+        VERSION="$(echo "$GITHUB_REF_NAME" | cut -d '-' -f 2-)"
+        PRE_RELEASE=$([[ "$GITHUB_REF_NAME" =~ alpha|beta ]] && echo "-p" || echo "")
+        gh release create "$GITHUB_REF_NAME" $PRE_RELEASE -t "OpenSSL $VERSION" -d --notes " " -R "$GITHUB_REPOSITORY" "$GITHUB_REF_NAME/assets/"*