Avoid injection

JackPGreen · JackPGreen · commit af68300f620a · 2025-11-25T21:15:07.000Z
diff --git a/check-base-images/action.yml b/check-base-images/action.yml
@@ -34,17 +34,17 @@ runs:
           . check-base-images/check-base-images.functions.sh
         popd
 
-        image=${{ inputs.image-name }}
-        dockerfile=hazelcast-docker/${{ inputs.dockerfile-path }}
-
-        echodebug "Checking ${image}"
-        if base_image_outdated_from_dockerfile "${image}" "${dockerfile}"; then
+        echodebug "Checking ${IMAGE}"
+        if base_image_outdated_from_dockerfile "${IMAGE}" "${DOCKERFILE}"; then
           echo "outdated=true" >> ${GITHUB_OUTPUT}
-          echonotice "${image} needs rebuild"
-        elif packages_updatable_from_dockerfile "${image}" "${dockerfile}"; then
+          echonotice "${IMAGE} needs rebuild"
+        elif packages_updatable_from_dockerfile "${IMAGE}" "${DOCKERFILE}"; then
           echo "outdated=true" >> ${GITHUB_OUTPUT}
-          echonotice "System package upgrades for ${image} available"
+          echonotice "System package upgrades for ${IMAGE} available"
         else
           echo "outdated=false" >> ${GITHUB_OUTPUT}
-          echodebug "${image} is up-to-date"
+          echodebug "${IMAGE} is up-to-date"
         fi
+      env:
+        IMAGE: ${{ inputs.image-name }}
+        DOCKERFILE: hazelcast-docker/${{ inputs.dockerfile-path }}
diff --git a/download-hz-dist/action.yml b/download-hz-dist/action.yml
@@ -26,6 +26,11 @@ outputs:
     description: 'Path to the downloaded file'
     value: ${{ steps.derive-output-file.outputs.file }}
 runs:
+  env:
+    DISTRIBUTION: ${{ inputs.distribution }}
+    HZ_VERSION: ${{ inputs.hz_version }}
+    CLASSIFIER: ${{ inputs.classifier }}
+    PACKAGING: ${{ inputs.packaging }}
   using: "composite"
   steps:
     - name: Get repository URL
@@ -35,34 +40,38 @@ runs:
         . ${GITHUB_ACTION_PATH}/../.github/scripts/logging.functions.sh
 
         # Pick an appropriate key from "repo-vars-as-json"
-        case "${{ inputs.distribution }}" in
+        case "${DISTRIBUTION}" in
             "hazelcast")
-              if [[ "${{ inputs.hz_version }}" == *"SNAPSHOT"* ]]; then
+              if [[ "${HZ_VERSION}" == *"SNAPSHOT"* ]]; then
                 repo_var_name=MAVEN_OSS_SNAPSHOT_REPO
               else
                 repo_var_name=MAVEN_OSS_RELEASE_REPO
               fi
             ;;
             "hazelcast-enterprise")
-              if [[ "${{ inputs.hz_version }}" == *"SNAPSHOT"* ]]; then
+              if [[ "${HZ_VERSION}" == *"SNAPSHOT"* ]]; then
                 repo_var_name=MAVEN_EE_SNAPSHOT_REPO
               else
                 repo_var_name=MAVEN_EE_RELEASE_REPO
               fi
             ;;
             *)
-            echoerr "Unsupported distribution type '${{ inputs.distribution }}'" ; return 1
+            echoerr "Unsupported distribution type '${DISTRIBUTION}'" ; return 1
             ;;
         esac
 
         # Lookup up the value of the selected key in "repo-vars-as-json"
-        echo "repo_url=$(jq --raw-output .${repo_var_name} <<< '${{ inputs.repo-vars-as-json }}')" >> ${GITHUB_OUTPUT}
+        echo "repo_url=$(jq --raw-output .${repo_var_name} <<< '${REPO_VARS_AS_JSON}')" >> ${GITHUB_OUTPUT}
+      env:
+        REPO_VARS_AS_JSON: ${{ inputs.repo-vars-as-json }}
 
     - name: Derive output file
       id: derive-output-file
       shell: bash
       run: |
-        echo "file=${{ inputs.output_file || format('distribution.{0}', inputs.packaging) }}" >> ${GITHUB_OUTPUT}
+        echo "file=${FILE}" >> ${GITHUB_OUTPUT}
+      env:
+        FILE: ${{ inputs.output_file || format('distribution.{0}', inputs.packaging) }}
 
     - name: Download via Maven
       shell: bash
@@ -71,10 +80,10 @@ runs:
           org.apache.maven.plugins:maven-dependency-plugin:2.10:get \
           -DremoteRepositories="${{ steps.get_repo_url.outputs.repo_url }}" \
           -DgroupId="com.hazelcast" \
-          -DartifactId="${{ inputs.distribution }}-distribution" \
-          -Dversion="${{ inputs.hz_version }}" \
-          -Dclassifier="${{ inputs.classifier }}" \
-          -Dpackaging="${{ inputs.packaging }}" \
+          -DartifactId="${DISTRIBUTION}-distribution" \
+          -Dversion="${HZ_VERSION}" \
+          -Dclassifier="${CLASSIFIER}" \
+          -Dpackaging="${PACKAGING}" \
           -Dtransitive=false \
           -Ddest="${{ steps.derive-output-file.outputs.file }}" \
           --batch-mode \
diff --git a/get-supported-jdks/action.yml b/get-supported-jdks/action.yml
@@ -18,7 +18,9 @@ runs:
       id: get-supported-jdks
       run: |
         source ${GITHUB_ACTION_PATH}/get-supported-jdks.functions.sh
-        echo "jdks=$(get_supported_jdks ${{ inputs.HZ_VERSION}} )" >> ${GITHUB_OUTPUT}
+        echo "jdks=$(get_supported_jdks ${HZ_VERSION} )" >> ${GITHUB_OUTPUT}
+      with:
+        HZ_VERSION: ${{ inputs.HZ_VERSION}}
 
     - shell: bash
       id: get-default-jdk
diff --git a/resolve-editions/action.yml b/resolve-editions/action.yml
@@ -21,5 +21,7 @@ runs:
       run: |
         source ${GITHUB_ACTION_PATH}/build.functions.sh
 
-        echo "should_build_oss=$(should_build_oss "${{ inputs.release-type }}")" >> ${GITHUB_OUTPUT}
-        echo "should_build_ee=$(should_build_ee "${{ inputs.release-type }}")" >> ${GITHUB_OUTPUT}
+        echo "should_build_oss=$(should_build_oss "${RELEASE_TYPE}")" >> ${GITHUB_OUTPUT}
+        echo "should_build_ee=$(should_build_ee "${RELEASE_TYPE}")" >> ${GITHUB_OUTPUT}
+      env:
+        RELEASE_TYPE: ${{ inputs.release-type }}
