Remedy risk of template code injection

.github/actions/bazel-linux-build/action.yml

@@ -24,4 +24,6 @@ runs:
         echo "CC=clang" >> $GITHUB_ENV
     - name: Build SwiftLint with Bazel
       shell: bash
-      run: bazel build --config release ${{ inputs.target }}
+      run: bazel build --config release ${INPUTS_TARGET}
+      env:
+        INPUTS_TARGET: ${{ inputs.target }}

.github/actions/run-make/action.yml

@@ -10,10 +10,12 @@ runs:
   steps:
     - run: |
         awk '
-          $0 ~ "${{ inputs.rule }}:" { in_rule = 1; next }
+          $0 ~ "${INPUTS_RULE}:" { in_rule = 1; next }
           in_rule && /^\t/ { print $0 }
           in_rule && !/^\t/ { in_rule = 0 }
         ' Makefile | while IFS= read -r command; do
           eval "$command"
         done
       shell: bash
+      env:
+        INPUTS_RULE: ${{ inputs.rule }}

.github/workflows/actor-credentials.yml

@@ -31,8 +31,10 @@ jobs:
       - name: Retrieve author in uppercase
         id: retrieve_author
         run: |
-          AUTHOR=$(echo ${{ inputs.actor }} | tr '[:lower:]' '[:upper:]')
+          AUTHOR=$(echo "${INPUTS_ACTOR}" | tr '[:lower:]' '[:upper:]')
           echo "name=${AUTHOR}" >> "$GITHUB_OUTPUT"
+        env:
+          INPUTS_ACTOR: ${{ inputs.actor }}
       - name: Configure Git author
         id: configure_git_author
         uses: Homebrew/actions/git-user-config@master

.github/workflows/docker.yml

@@ -40,13 +40,14 @@ jobs:
           } >> "$GITHUB_OUTPUT"
         else
           {
-            echo "checkout-ref=${{ inputs.tag }}"
-            echo "docker-tag=${{ inputs.tag }}"
+            echo "checkout-ref=${INPUTS_TAG}"
+            echo "docker-tag=${INPUTS_TAG}"
           } >> "$GITHUB_OUTPUT"
         fi
         echo "repository-lc=${REPOSITORY,,}" >> "$GITHUB_OUTPUT"
       env:
         REPOSITORY: ${{ github.repository }}
+        INPUTS_TAG: ${{ inputs.tag }}
 
   build-amd64:
     name: Build AMD64 Image

.github/workflows/post-release.yml

@@ -31,10 +31,12 @@ jobs:
           token: ${{ secrets[format('PERSONAL_GITHUB_TOKEN_{0}', needs.setup-credentials.outputs.author_uppercase)] }}
       - name: Merge release branch
         run: |
-          git fetch origin release/${{ github.event.release.tag_name }}
-          git merge --ff-only origin/release/${{ github.event.release.tag_name }}
+          git fetch origin "release/${TAG_NAME}"
+          git merge --ff-only "origin/release/${TAG_NAME}"
           git push origin main
-          git push origin --delete release/${{ github.event.release.tag_name }}
+          git push origin --delete "release/${TAG_NAME}"
+        env:
+          TAG_NAME: ${{ github.event.release.tag_name }}
 
   publish-pod:
     name: Publish Pod