Merge pull request #3055 from VWS-Python/env-vars-release

adamtheturtle · web-flow · commit b3ed054c7dde · 2026-03-17T13:21:45.000Z
Move release and tag version into env vars to prevent template injection
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -45,8 +45,10 @@ jobs:
 
       - name: Get the changelog underline
         id: changelog_underline
+        env:
+          RELEASE: ${{ steps.calver.outputs.release }}
         run: |
-          underline="$(echo "${{ steps.calver.outputs.release }}" | tr -c '\n' '-')"
+          underline="$(echo "$RELEASE" | tr -c '\n' '-')"
           echo "underline=${underline}" >> "$GITHUB_OUTPUT"
 
       - name: Update changelog
@@ -64,8 +66,10 @@ jobs:
           regex: false
 
       - name: Check Update changelog was modified
+        env:
+          MODIFIED_FILES: ${{ steps.update_changelog.outputs.modifiedFiles }}
         run: |
-          if [ "${{ steps.update_changelog.outputs.modifiedFiles }}" = "0" ]; then
+          if [ "$MODIFIED_FILES" = "0" ]; then
             echo "Error: No files were modified when updating changelog"
             exit 1
           fi
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -131,15 +131,16 @@ jobs:
           cache-dependency-glob: '**/pyproject.toml'
 
       - name: Set secrets file
-        run: |
-          # See the "CI Setup" document for details of how this was set up.
-          ci/decrypt_secret.sh
-          tar xvf "${HOME}"/secrets/secrets.tar
-          cp ./ci_secrets/vuforia_secrets_${{ strategy.job-index }}.env ./vuforia_secrets.env
         env:
           CI_PATTERN: ${{ matrix.ci_pattern }}
           ENCRYPTED_FILE: secrets.tar.gpg
           LARGE_SECRET_PASSPHRASE: ${{ secrets.PASSPHRASE_FOR_VUFORIA_SECRETS }}
+          JOB_INDEX: ${{ strategy.job-index }}
+        run: |
+          # See the "CI Setup" document for details of how this was set up.
+          ci/decrypt_secret.sh
+          tar xvf "${HOME}"/secrets/secrets.tar
+          cp "./ci_secrets/vuforia_secrets_${JOB_INDEX}.env" ./vuforia_secrets.env
 
       # We have seen issues with running out of disk space on test_docker
       - name: Free Disk Space (Ubuntu)
diff --git a/zizmor.yml b/zizmor.yml
@@ -8,5 +8,3 @@ rules:
     disable: true
   superfluous-actions:
     disable: true
-  template-injection:
-    disable: true
