GHA: silence zizmor warnings [ci skip]

Thanks @woodruffw! One of these for each job: ``` error[template-injection]: code injection via template expansion --> .github/workflows/build.yml:67:9 | 67 | - name: 'build' | ^^^^^^^^^^^^^ this step 68 | / run: | 69 | | export CW_CONFIG='awslc-${{ github.ref_name }}-linux-a64-r64-x64' ... | 78 | | "${DOCKER_IMAGE}" \ 79 | | sh -c ./_ci-linux-debian.sh | |_______________________________________^ github.ref_name may expand into attacker-controllable code | = note: audit confidence → High ``` For this project none posed a security issue, because we limit runs to branches `main`, `dev` and `test`.
curl · Dec 16, 2024 · 05ca755 · 05ca755
1 parent 6501eaf
commit 05ca755
Showing 1 changed file with 17 additions and 17 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -73,7 +73,7 @@ jobs:
           fetch-depth: '300'
       - name: 'build'
         run: |
-          export CW_CONFIG='${{ github.ref_name }}-linux-a64-x64'
+          export CW_CONFIG="${GITHUB_REF_NAME}-linux-a64-x64"
           export CW_REVISION='${{ github.sha }}'
           . ./_versions.sh
           docker trust inspect --pretty "${DOCKER_IMAGE}"
@@ -105,7 +105,7 @@ jobs:
           fetch-depth: '300'
       - name: 'build'
         run: |
-          export CW_CONFIG='${{ github.ref_name }}-linux-a64-r64-x64-gcc'
+          export CW_CONFIG="${GITHUB_REF_NAME}-linux-a64-r64-x64-gcc"
           export CW_REVISION='${{ github.sha }}'
           . ./_versions.sh
           export CW_GCCSUFFIX='-14'
@@ -138,7 +138,7 @@ jobs:
           fetch-depth: '300'
       - name: 'build'
         run: |
-          export CW_CONFIG='${{ github.ref_name }}-linux'
+          export CW_CONFIG="${GITHUB_REF_NAME}-linux"
           export CW_REVISION='${{ github.sha }}'
           DOCKER_IMAGE='debian:bookworm-slim'
           DOCKER_CONTENT_TRUST=1
@@ -173,7 +173,7 @@ jobs:
           fetch-depth: '300'
       - name: 'build'
         run: |
-          export CW_CONFIG='${{ github.ref_name }}-linux-gcc'
+          export CW_CONFIG="${GITHUB_REF_NAME}-linux-gcc"
           export CW_REVISION='${{ github.sha }}'
           DOCKER_IMAGE='debian:bookworm-slim'
           DOCKER_CONTENT_TRUST=1
@@ -208,7 +208,7 @@ jobs:
           fetch-depth: '300'
       - name: 'build'
         run: |
-          export CW_CONFIG='${{ github.ref_name }}-linux-a64-r64-x64-musl'
+          export CW_CONFIG="${GITHUB_REF_NAME}-linux-a64-r64-x64-musl"
           export CW_REVISION='${{ github.sha }}'
           . ./_versions.sh
           docker trust inspect --pretty "${DOCKER_IMAGE}"
@@ -240,7 +240,7 @@ jobs:
           fetch-depth: '300'
       - name: 'build'
         run: |
-          export CW_CONFIG='${{ github.ref_name }}-linux-a64-r64-x64-musl-gcc'
+          export CW_CONFIG="${GITHUB_REF_NAME}-linux-a64-r64-x64-musl-gcc"
           export CW_REVISION='${{ github.sha }}'
           . ./_versions.sh
           docker trust inspect --pretty "${DOCKER_IMAGE}"
@@ -272,7 +272,7 @@ jobs:
           fetch-depth: '300'
       - name: 'build'
         run: |
-          export CW_CONFIG='${{ github.ref_name }}-linux-musl'
+          export CW_CONFIG="${GITHUB_REF_NAME}-linux-musl"
           export CW_REVISION='${{ github.sha }}'
           DOCKER_IMAGE='debian:bookworm-slim'
           DOCKER_CONTENT_TRUST=1
@@ -307,7 +307,7 @@ jobs:
           fetch-depth: '300'
       - name: 'build'
         run: |
-          export CW_CONFIG='${{ github.ref_name }}-linux-musl-gcc'
+          export CW_CONFIG="${GITHUB_REF_NAME}-linux-musl-gcc"
           export CW_REVISION='${{ github.sha }}'
           DOCKER_IMAGE='debian:bookworm-slim'
           DOCKER_CONTENT_TRUST=1
@@ -342,7 +342,7 @@ jobs:
           fetch-depth: '300'
       - name: 'build'
         run: |
-          export CW_CONFIG='${{ github.ref_name }}-linux'
+          export CW_CONFIG="${GITHUB_REF_NAME}-linux"
           export CW_REVISION='${{ github.sha }}'
           DOCKER_IMAGE='alpine:latest'
           DOCKER_CONTENT_TRUST=1
@@ -375,7 +375,7 @@ jobs:
           fetch-depth: '300'
       - name: 'build'
         run: |
-          export CW_CONFIG='${{ github.ref_name }}-linux-gcc'
+          export CW_CONFIG="${GITHUB_REF_NAME}-linux-gcc"
           export CW_REVISION='${{ github.sha }}'
           DOCKER_IMAGE='alpine:latest'
           DOCKER_CONTENT_TRUST=1
@@ -410,7 +410,7 @@ jobs:
         env:
           GITHUB_TOKEN: '${{ github.token }}'
         run: |
-          export CW_CONFIG='${{ github.ref_name }}-linux'
+          export CW_CONFIG="${GITHUB_REF_NAME}-linux"
           export CW_REVISION='${{ github.sha }}'
           sh -c ./_ci-mac-homebrew.sh
 
@@ -438,7 +438,7 @@ jobs:
         env:
           GITHUB_TOKEN: '${{ github.token }}'
         run: |
-          export CW_CONFIG='${{ github.ref_name }}-mac-macuni'
+          export CW_CONFIG="${GITHUB_REF_NAME}-mac-macuni"
           export CW_REVISION='${{ github.sha }}'
           sh -c ./_ci-mac-homebrew.sh
 
@@ -466,7 +466,7 @@ jobs:
         env:
           GITHUB_TOKEN: '${{ github.token }}'
         run: |
-          export CW_CONFIG='${{ github.ref_name }}-mac-macuni-llvm'
+          export CW_CONFIG="${GITHUB_REF_NAME}-mac-macuni-llvm"
           export CW_REVISION='${{ github.sha }}'
           sh -c ./_ci-mac-homebrew.sh
 
@@ -495,7 +495,7 @@ jobs:
           GITHUB_TOKEN: '${{ github.token }}'
         run: |
           export CW_CCSUFFIX='-14'
-          export CW_CONFIG='${{ github.ref_name }}-mac-gcc-a64'
+          export CW_CONFIG="${GITHUB_REF_NAME}-mac-gcc-a64"
           export CW_REVISION='${{ github.sha }}'
           sh -c ./_ci-mac-homebrew.sh
 
@@ -524,7 +524,7 @@ jobs:
           CW_LLVM_MINGW_DL: '1'
           CW_LLVM_MINGW_ONLY: '0'
         run: |
-          export CW_CONFIG='${{ github.ref_name }}-win'
+          export CW_CONFIG="${GITHUB_REF_NAME}-win"
           export CW_REVISION='${{ github.sha }}'
           . ./_versions.sh
           sh -c ./_ci-mac-homebrew.sh
@@ -552,7 +552,7 @@ jobs:
           CW_LLVM_MINGW_DL: '1'
           CW_LLVM_MINGW_ONLY: '0'
         run: |
-          export CW_CONFIG='${{ github.ref_name }}-win'
+          export CW_CONFIG="${GITHUB_REF_NAME}-win"
           export CW_REVISION='${{ github.sha }}'
           . ./_versions.sh
           docker trust inspect --pretty "${DOCKER_IMAGE}"
@@ -587,7 +587,7 @@ jobs:
           CW_LLVM_MINGW_DL: '1'
           CW_LLVM_MINGW_ONLY: '0'
         run: |
-          export CW_CONFIG='${{ github.ref_name }}-win-gcc'
+          export CW_CONFIG="${GITHUB_REF_NAME}-win-gcc"
           export CW_REVISION='${{ github.sha }}'
           . ./_versions.sh
           docker trust inspect --pretty "${DOCKER_IMAGE}"