Fix help[template-injection]: code injection via template expansion

hugovk · hugovk · commit 0095248b9243 · 2026-02-25T11:29:20.000+02:00
diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
@@ -49,6 +49,8 @@ jobs:
       # https://specs.opencontainers.org/image-spec/annotations/#pre-defined-annotation-keys
       - name: Extract labels from Dockerfile
         id: labels
+        env:
+          CREATED: ${{ steps.version.outputs.created }}
         run: |
           set -euo pipefail
 
@@ -84,8 +86,8 @@ jobs:
           documentation=$(extract_label "documentation")
 
           # Get dynamic values from earlier steps.
-          created="${{ steps.version.outputs.created }}"
-          revision="${{ github.sha }}"
+          created="$CREATED"
+          revision="$GITHUB_SHA"
 
           # Build annotations string.
           annotations=""
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -34,7 +34,7 @@ jobs:
           load: true
           tags: ${{ env.TAG }}
       - name: Test clang
-        run: docker run --rm ${{ env.TAG }} clang --version
+        run: docker run --rm "$TAG" clang --version
 
   build_wasi_container:
     name: Build and test (WASI container)
@@ -59,9 +59,9 @@ jobs:
           load: true
           tags: ${{ env.TAG }}
       - name: Test WASI SDK
-        run: docker run --rm ${{ env.TAG }} /opt/wasi-sdk/bin/clang --version
+        run: docker run --rm "$TAG" /opt/wasi-sdk/bin/clang --version
       - name: Test Wasmtime
-        run: docker run --rm ${{ env.TAG }} wasmtime --version
+        run: docker run --rm "$TAG" wasmtime --version
 
   build_autoconf:
     name: Build and test (Autoconf)
