[CI] Remove template injection vulnerable bits from Agent Security GH…

…A Workflows (#30633)
DataDog · Oct 31, 2024 · 3747a3c · 3747a3c
1 parent aa0024c
commit 3747a3c
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/.github/workflows/cws-btfhub-sync.yml b/.github/workflows/cws-btfhub-sync.yml
@@ -81,8 +81,11 @@ jobs:
           echo "ARTIFACT_NAME=constants-${{ matrix.cone }}" | tr '/' '-' >> $GITHUB_OUTPUT
 
       - name: Sync constants
+        env:
+          ARTIFACT_NAME: ${{ steps.artifact-name.outputs.ARTIFACT_NAME }}
+          FORCE_REFRESH: ${{ inputs.force_refresh && '--force-refresh' || '' }}
         run: |
-          inv -e security-agent.generate-btfhub-constants --archive-path=./dev/dist/archive --output-path=./${{ steps.artifact-name.outputs.ARTIFACT_NAME }}.json ${{ inputs.force_refresh && '--force-refresh' || '' }}
+          inv -e security-agent.generate-btfhub-constants --archive-path=./dev/dist/archive --output-path=./"$ARTIFACT_NAME".json "$FORCE_REFRESH"
 
       - name: Upload artifact
         uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
@@ -140,6 +143,9 @@ jobs:
           skip_checkout: true
 
       - name: Create Pull Request
+        env:
+          BRANCH_NAME: ${{ steps.branch-name.outputs.BRANCH_NAME }}
+          BASE_BRANCH: ${{ inputs.base_branch || 'main' }}
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         if: steps.commit-creator.outputs.changes_detected == 'true'
         with:
@@ -149,8 +155,8 @@ jobs:
               title: 'CWS: sync BTFHub constants',
               owner,
               repo,
-              head: '${{ steps.branch-name.outputs.BRANCH_NAME }}',
-              base: '${{ inputs.base_branch || 'main' }}',
+              head: "$BRANCH_NAME",
+              base: "$BASE_BRANCH",
               body: [
                 '### What does this PR do?',
                 'This PR syncs the BTFHub constants used by CWS',