AAE-39560: security fixes (#11315)

DenysVuika · web-flow · commit a4f5cfc96489 · 2025-10-30T07:59:29.000-04:00
diff --git a/.github/actions/before-install/action.yml b/.github/actions/before-install/action.yml
@@ -45,11 +45,13 @@ runs:
     - name: RELEASE on master/develop patch branch
       if: ${{ env.BREAK_ACTION == false && github.event.pull_request.merged }}
       shell: bash
+      env:
+        REF_NAME: ${{ github.ref_name }}
       run: |
-        if [[ "${{ github.ref_name }}" =~ ^master(-patch.*)?$ ]]; then
+        if [[ "$REF_NAME" =~ ^master(-patch.*)?$ ]]; then
             # into master(-patch*)
             echo "Setting up CI flags for Push on master patch"
-        elif [[ "${{ github.ref_name }}" =~ ^develop-patch.*$ ]]; then
+        elif [[ "$REF_NAME" =~ ^develop-patch.*$ ]]; then
             # into develop-patch*
             echo "Setting up CI flags for Push develop patch"
         else
diff --git a/.github/actions/enable-dryrun/action.yml b/.github/actions/enable-dryrun/action.yml
@@ -20,8 +20,10 @@ runs:
     - name: set dryrun flag to TRUE
       shell: bash
       id: dryrun
+      env:
+        DRY_RUN_FLAG: ${{ inputs.dry-run-flag }}
       run: |
-          if [[ '${{ inputs.dry-run-flag }}' == 'true' ]]; then
+          if [[ '$DRY_RUN_FLAG' == 'true' ]]; then
             echo "dryrun=--dryrun" >> $GITHUB_OUTPUT;
             echo "enabling dryrun"
           else
diff --git a/.github/actions/set-npm-tag/action.yml b/.github/actions/set-npm-tag/action.yml
@@ -17,11 +17,13 @@ runs:
 
     - name: set TAG_NPM
       shell: bash
+      env:
+        BRANCH_NAME: ${{ inputs.branch_name }}
       run: |
         TAG_NPM="alpha"
         VERSION_IN_PACKAGE_JSON=$(node -p "require('./package.json')".version)
         echo "version in package.json=${VERSION_IN_PACKAGE_JSON}"
-        if [[ ${{ inputs.branch_name }} =~ ^master(-patch.*)?$ ]]; then
+        if [[ $BRANCH_NAME =~ ^master(-patch.*)?$ ]]; then
             # Pre-release versions
             if [[ $VERSION_IN_PACKAGE_JSON =~ ^[0-9]*\.[0-9]*\.[0-9]*-A\.[0-9]*$ ]];
             then
@@ -31,7 +33,7 @@ runs:
                 TAG_NPM=latest
             fi
         fi
-        if [[ ${{ inputs.branch_name }} =~ ^develop(-patch.*)?$ ]]; then
+        if [[ $BRANCH_NAME =~ ^develop(-patch.*)?$ ]]; then
             TAG_NPM=alpha
         fi
         echo "TAG_NPM=${TAG_NPM}" >> $GITHUB_ENV
diff --git a/.github/workflows/git-tag.yml b/.github/workflows/git-tag.yml
@@ -52,6 +52,8 @@ jobs:
         with:
           node-version-file: '.nvmrc'
       - name: "Release tag"
+        env:
+          DRYRUN_FLAG: ${{ steps.set-dryrun.outputs.dryrun }}
         run: |
           git fetch --all --quiet
-          BRANCH=${GITHUB_REF##*/} ./scripts/github/release/git-tag.sh ${{ steps.set-dryrun.outputs.dryrun }}
+          BRANCH=${GITHUB_REF##*/} ./scripts/github/release/git-tag.sh $DRYRUN_FLAG
diff --git a/.github/workflows/package_dispatch.yml b/.github/workflows/package_dispatch.yml
@@ -10,13 +10,16 @@ jobs:
     steps:
       - name: Dispatch event to monorepo
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          PACKAGE_NAME: ${{ github.event.registry_package.name }}
+          PACKAGE_VERSION: ${{ github.event.registry_package.package_version.name }}
         with:
           github-token: ${{ secrets.PAT_WRITE_PKG }}
           retries: 3
           script: |
             const payload = {
-              package_name: "${{ github.event.registry_package.name }}",
-              package_version: "${{ github.event.registry_package.package_version.name }}"
+              package_name: process.env.PACKAGE_NAME,
+              package_version: process.env.PACKAGE_VERSION
             };
 
             await github.rest.repos.createDispatchEvent({
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -73,8 +73,11 @@ jobs:
 
       - name: ci:force flag parser
         shell: bash
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          ACTOR: ${{ github.actor }}
         run: |
-          if [ "${{ github.event_name }}" == "schedule" ] || [ "${{ github.actor }}" == "dependabot[bot]" ]; then
+          if [ "$EVENT_NAME" == "schedule" ] || [ "$ACTOR" == "dependabot[bot]" ]; then
             echo -e "\033[32mci:force check can be skipped\033[0m"
             skip_check="true"
           elif [[ "$COMMIT_MESSAGE" == *"[ci:force]"* ]]; then
@@ -91,28 +94,33 @@ jobs:
 
       - name: show pr number
         shell: bash
+        env:
+          PR_NUMBER: ${{ steps.action.outputs.number }}
         run: |
-          echo "PR: ${{ steps.action.outputs.number }}"
+          echo "PR: $PR_NUMBER"
 
       - name: check if pr is approved
         env:
           DEVEL_FLAG: ${{ inputs.devel }}
           GH_TOKEN: ${{ github.token }}
           skip_check: "false"
+          EVENT_NAME: ${{ github.event_name }}
+          ACTOR: ${{ github.actor }}
+          PR_NUMBER: ${{ steps.action.outputs.number }}
         run: |
-          if [ "${{ github.event_name }}" == "schedule" ] || [ "${{ github.actor }}" == "dependabot[bot]" ]; then
+          if [ "$EVENT_NAME" == "schedule" ] || [ "$ACTOR" == "dependabot[bot]" ]; then
             echo -e "\033[32mci:force check can be skipped\033[0m"
             skip_check="true"
           elif [[ "$COMMIT_MESSAGE" == *"[ci:force]"* ]]; then
             echo -e "\033[32m[ci:force] flag detected. No need for approval.\033[0m"
             skip_check="true"
           fi
 
-          if [ "${{ github.actor }}" == "dependabot[bot]" ] || [ "${{ github.actor }}" == "alfresco-build" ]; then
-            echo -e "\033[32mCommit by ${{ github.actor }}. No need for approval.\033[0m"
+          if [ "$ACTOR" == "dependabot[bot]" ] || [ "$ACTOR" == "alfresco-build" ]; then
+            echo -e "\033[32mCommit by $ACTOR. No need for approval.\033[0m"
             skip_check="true"
           fi
-          if [ "${{ github.event_name }}" == "schedule" ] || [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
+          if [ "$EVENT_NAME" == "schedule" ] || [ "$EVENT_NAME" == "workflow_dispatch" ]; then
             echo -e "\033[32mSchedule event\033[0m"
             skip_check="true"
           fi
@@ -124,7 +132,7 @@ jobs:
 
           if [ "$skip_check" == "false" ]; then
             echo "Checking PR approval"
-            prNumber=${{ steps.action.outputs.number }}
+            prNumber=$PR_NUMBER
             echo "PR: $prNumber"
             checkApproval=$(gh api /repos/$GITHUB_REPOSITORY/pulls/$prNumber/reviews | jq '.[] | select(.state == "APPROVED") | .user.login')
             if [[ $checkApproval ]]; then
@@ -184,8 +192,10 @@ jobs:
       - uses: ./.github/actions/setup
       - uses: ./.github/actions/download-node-modules-and-artifacts
       - name: Run unit tests
+        env:
+          EXCLUDE_PATTERN: ${{ matrix.unit-tests.exclude }}
         run: |
-          /usr/bin/xvfb-run --auto-servernum npm run test:affected -- $NX_CALCULATION_FLAGS --exclude=${{ matrix.unit-tests.exclude }}
+          /usr/bin/xvfb-run --auto-servernum npm run test:affected -- $NX_CALCULATION_FLAGS --exclude=$EXCLUDE_PATTERN
 
   lint:
     # long timeout required when cache has to be recreated
@@ -241,9 +251,12 @@ jobs:
               core.setFailed('The PR contains a forbidden label! You are not allowed to merge until the label is there.');
             }
       - name: Check value after
+        env:
+          STEP_RESULT: ${{ toJson(steps.pr-forbidden.*.result) }}
+          HAS_FAILURE: ${{ contains(toJson(steps.pr-forbidden.*.result), 'failure') }}
         run: |
-          echo "result ${{ toJson(steps.pr-forbidden.*.result) }}" && echo "result ${{ steps.pr-forbidden.*.result }}"
-          echo "result ${{ contains(toJson(steps.pr-forbidden.*.result), 'failure') }}"
+          echo "Step result: $STEP_RESULT"
+          echo "Has failure: $HAS_FAILURE"
 
   finalize:
     if: ${{ always() }}
