From 2dbaa9a58b2a8c7f548f436f28534c5816dc653f Mon Sep 17 00:00:00 2001
From: Radek Simko <radek.simko@gmail.com>
Date: Mon, 26 Jan 2026 13:56:24 +0000
Subject: [PATCH] github/equivalence-test: Ensure inputs are escaped

Co-authored-by: jeevaratnamputla <132266626+jeevaratnamputla@users.noreply.github.com>
---
 .github/actions/equivalence-test/action.yml | 34 ++++++++++++++-------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/.github/actions/equivalence-test/action.yml b/.github/actions/equivalence-test/action.yml
index cbfc51505e..094134935e 100644
--- a/.github/actions/equivalence-test/action.yml
+++ b/.github/actions/equivalence-test/action.yml
@@ -31,12 +31,16 @@ runs:
 
     - name: "download equivalence test binary"
       shell: bash
+      env:
+        TARGET_VERSION: ${{ inputs.target-equivalence-test-version }}
+        TARGET_OS: ${{ inputs.target-os }}
+        TARGET_ARCH: ${{ inputs.target-arch }}
       run: |
         ./.github/scripts/equivalence-test.sh download_equivalence_test_binary \
-          ${{ inputs.target-equivalence-test-version }} \
+          "$TARGET_VERSION" \
           ./bin/equivalence-tests \
-          ${{ inputs.target-os }} \
-          ${{ inputs.target-arch }}
+          "$TARGET_OS" \
+          "$TARGET_ARCH"
 
     - name: Build terraform
       shell: bash
@@ -50,7 +54,7 @@ runs:
           --tests=testing/equivalence-tests/tests \
           --goldens=testing/equivalence-tests/outputs \
           --binary=$(pwd)/bin/terraform
-        
+
         git add --intent-to-add testing/equivalence-tests/outputs
         changed=$(git diff --quiet -- testing/equivalence-tests/outputs || echo true)
         echo "changed=$changed" >> "${GITHUB_OUTPUT}"
@@ -58,22 +62,30 @@ runs:
     - name: "branch, commit, and push changes"
       if: steps.execute.outputs.changed == 'true'
       shell: bash
+      env:
+        NEW_BRANCH: ${{ inputs.new-branch }}
+        # GitHub token w/ push permissions is inherited from the calling workflow here
       run: |
         git config user.name "hc-github-team-tf-core"
         git config user.email "github-team-tf-core@hashicorp.com"
-        git checkout -b ${{ inputs.new-branch }}
+        git checkout -b "$NEW_BRANCH"
         git add testing/equivalence-tests/outputs
         git commit -m "Update equivalence test golden files."
-        git push --set-upstream origin ${{ inputs.new-branch }}
-          
+        git push --set-upstream origin "$NEW_BRANCH"
+
     - name: "create pull request"
       if: steps.execute.outputs.changed == 'true'
       shell: bash
+      env:
+        CURRENT_BRANCH: ${{ inputs.current-branch }}
+        NEW_BRANCH: ${{ inputs.new-branch }}
+        PR_MESSAGE: ${{ inputs.message }}
+        PR_REVIEWERS: ${{ inputs.reviewers }}
       run: |
         gh pr create \
           --draft \
-          --base ${{ inputs.current-branch }} \
-          --head ${{ inputs.new-branch }} \
+          --base "$CURRENT_BRANCH" \
+          --head "$NEW_BRANCH" \
           --title "Update equivalence test golden files" \
-          --body '${{ inputs.message }}' \
-          --reviewer ${{ inputs.reviewers }}
+          --body "$PR_MESSAGE" \
+          --reviewer "$PR_REVIEWERS"