github/equivalence-test: Ensure inputs are escaped

Co-authored-by: jeevaratnamputla <132266626+jeevaratnamputla@users.noreply.github.com>
2026-02-03 20:50:59 -05:00 · 2026-01-26 13:56:24 +00:00 · 2026-01-26 13:56:24 +00:00 · 2dbaa9a58b
commit 2dbaa9a58b
parent ac3e32b62b
1 changed files with 23 additions and 11 deletions
--- a/.github/actions/equivalence-test/action.yml
+++ b/.github/actions/equivalence-test/action.yml
@ -31,12 +31,16 @@ runs:

    - name: "download equivalence test binary"
      shell: bash
+      env:
+        TARGET_VERSION: ${{ inputs.target-equivalence-test-version }}
+        TARGET_OS: ${{ inputs.target-os }}
+        TARGET_ARCH: ${{ inputs.target-arch }}
      run: |
        ./.github/scripts/equivalence-test.sh download_equivalence_test_binary \
-          ${{ inputs.target-equivalence-test-version }} \
+          "$TARGET_VERSION" \
          ./bin/equivalence-tests \
-          ${{ inputs.target-os }} \
-          ${{ inputs.target-arch }}
+          "$TARGET_OS" \
+          "$TARGET_ARCH"

    - name: Build terraform
      shell: bash
@ -50,7 +54,7 @@ runs:
          --tests=testing/equivalence-tests/tests \
          --goldens=testing/equivalence-tests/outputs \
          --binary=$(pwd)/bin/terraform
-        
+
        git add --intent-to-add testing/equivalence-tests/outputs
        changed=$(git diff --quiet -- testing/equivalence-tests/outputs || echo true)
        echo "changed=$changed" >> "${GITHUB_OUTPUT}"
@ -58,22 +62,30 @@ runs:
    - name: "branch, commit, and push changes"
      if: steps.execute.outputs.changed == 'true'
      shell: bash
+      env:
+        NEW_BRANCH: ${{ inputs.new-branch }}
+        # GitHub token w/ push permissions is inherited from the calling workflow here
      run: |
        git config user.name "hc-github-team-tf-core"
        git config user.email "github-team-tf-core@hashicorp.com"
-        git checkout -b ${{ inputs.new-branch }}
+        git checkout -b "$NEW_BRANCH"
        git add testing/equivalence-tests/outputs
        git commit -m "Update equivalence test golden files."
-        git push --set-upstream origin ${{ inputs.new-branch }}
-          
+        git push --set-upstream origin "$NEW_BRANCH"
+
    - name: "create pull request"
      if: steps.execute.outputs.changed == 'true'
      shell: bash
+      env:
+        CURRENT_BRANCH: ${{ inputs.current-branch }}
+        NEW_BRANCH: ${{ inputs.new-branch }}
+        PR_MESSAGE: ${{ inputs.message }}
+        PR_REVIEWERS: ${{ inputs.reviewers }}
      run: |
        gh pr create \
          --draft \
-          --base ${{ inputs.current-branch }} \
-          --head ${{ inputs.new-branch }} \
+          --base "$CURRENT_BRANCH" \
+          --head "$NEW_BRANCH" \
          --title "Update equivalence test golden files" \
-          --body '${{ inputs.message }}' \
-          --reviewer ${{ inputs.reviewers }}
+          --body "$PR_MESSAGE" \
+          --reviewer "$PR_REVIEWERS"