fix(semgrep): avoid run-shell-injection (#280)

* fix(semgrep): avoid run-shell-injection

* fix(semgrep): avoid run-shell-injection

* fix(semgrep): avoid run-shell-injection

* fix

* Apply suggestions from code review

Co-authored-by: Ivan Fernandez Calvo <5400788+kuisathaverat@users.noreply.github.com>

---------

Co-authored-by: Ivan Fernandez Calvo <5400788+kuisathaverat@users.noreply.github.com>

Author: v1v

oblt-cli/deploy-my-kibana/action.yml

@@ -69,7 +69,9 @@ runs:
 
     - if: ${{ inputs.github-token != '' }}
       name: If GitHub token provided
-      run: echo "GH_TOKEN=${{ inputs.github-token }}" >> "$GITHUB_ENV"
+      run: echo "GH_TOKEN=${GH_TOKEN}" >> "$GITHUB_ENV"
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
       shell: bash
 
     - uses: elastic/oblt-actions/github/is-member-of@v1
@@ -82,7 +84,7 @@ runs:
     - name: Get cluster given the target branch (either edge-lite or release)
       if: contains(steps.is_elastic_member.outputs.result, 'true')
       run: |-
-        PR=$(basename ${{ inputs.issue-url }})
+        PR=$(basename "${ISSUE_URL}")
         echo "PR=${PR}" >> $GITHUB_ENV
 
         # issue_comment does not contain any references to github.base_ref
@@ -93,6 +95,8 @@ runs:
         else
           echo "CLUSTER=release-oblt" >> $GITHUB_ENV
         fi
+      env:
+        ISSUE_URL: ${{ inputs.issue-url }}
       shell: bash
 
     - name: Create GitHub issue
@@ -118,16 +122,19 @@ runs:
 
         ### Further details
 
-        Caused by @${{ inputs.user }} in ${{ inputs.comment-url }} via this [GitHub workflow build](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }})
+        Caused by @${GITHUB_USER} in ${COMMENT_URL} via this [GitHub workflow build](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }})
         EOT
         gh issue \
           create \
           --label 'deploy-custom-kibana' \
-          --title "[Deploy Kibana] for user ${{ inputs.user }} with PR kibana@pr-${{ env.PR }} on cluster ${{ env.CLUSTER }}" \
-          --assignee ${{ inputs.user }} \
+          --title "[Deploy Kibana] for user ${GITHUB_USER} with PR kibana@pr-${{ env.PR }} on cluster ${{ env.CLUSTER }}" \
+          --assignee "${GITHUB_USER}" \
           --body-file .body-content \
           --repo elastic/observability-test-environments | tee .issue
         echo "issue=$(cat .issue)" >> "$GITHUB_OUTPUT"
+      env:
+        GITHUB_USER: ${{ inputs.user }}
+        COMMENT_URL: ${{ inputs.comment-url }}
       shell: bash
 
     - name: Notify with a reaction if a non-elastician comment

oblt-cli/run/action.yml

@@ -24,7 +24,8 @@ runs:
         slack-channel: ${{ inputs.slack-channel }}
         username: ${{ inputs.username }}
     - name: run oblt-cli
-      run: oblt-cli --verbose ${{ inputs.command }}
+      run: oblt-cli --verbose ${COMMAND}
       shell: bash
       env:
         GITHUB_TOKEN: ${{ inputs.github-token }}
+        COMMAND: ${{ inputs.command }}

oblt-cli/undeploy-my-kibana/action.yml

@@ -55,13 +55,18 @@ runs:
 
     - if: ${{ inputs.github-token != '' }}
       name: If GitHub token provided
-      run: echo "GH_TOKEN=${{ inputs.github-token }}" >> "$GITHUB_ENV"
+      run: echo "GH_TOKEN=${GH_TOKEN}" >> "$GITHUB_ENV"
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
       shell: bash
 
     - name: Gather PR Owner
       run: |-
-        PR_AUTHOR=$(gh pr view ${{ inputs.pull-request }} --repo ${{ inputs.repository }} --json author --jq .author.login)
+        PR_AUTHOR=$(gh pr view "${PR}" --repo "${REPO}" --json author --jq .author.login)
         echo "PR_AUTHOR=${PR_AUTHOR}" >> $GITHUB_ENV
+      env:
+        PR: ${{ inputs.pull-request }}
+        REPO: ${{ inputs.repository }}
       shell: bash
 
     - name: Create GitHub issue body