Skip to content

Commit c65c2b2

Browse files
per1234per1234
authored
[skip changelog] Quote all variables in GitHub Actions workflow shell commands (#1302)
Unquoted variables in shell commands can result in very confusing bugs caused by unexpected interpretation of characters in the variable contents by the shell, such as globbing and word splitting. The immediate motivation for this change is that the unquoted certificate password for the macOS notarization guaranteed a someone a headache when the password wasn't so well behaved as the author of the previously fragile command had assumed: security: SecKeychainItemImport: MAC verification failed during PKCS12 import (wrong password?)
1 parent 5115d44 commit c65c2b2

File tree

3 files changed

+21
-21
lines changed

3 files changed

+21
-21
lines changed

.github/workflows/arduino-stats.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ jobs:
2828
# Fetch jq 1.6 as VM has only 1.5 ATM
2929
wget -q https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -O jq
3030
chmod +x jq
31-
PATH=${{ github.workspace }}:$PATH
31+
PATH="${{ github.workspace }}:$PATH"
3232
.github/tools/fetch_athena_stats.sh
3333
3434
- name: Send metrics

.github/workflows/nightly.yaml

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -55,12 +55,12 @@ jobs:
5555
KEYCHAIN: "sign.keychain"
5656
INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
5757
run: |
58-
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > ${{ env.INSTALLER_CERT_MAC_PATH }}
59-
security create-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
60-
security default-keychain -s ${{ env.KEYCHAIN }}
61-
security unlock-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
62-
security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
63-
security set-key-partition-list -S apple-tool:,apple: -s -k ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
58+
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}"
59+
security create-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
60+
security default-keychain -s "${{ env.KEYCHAIN }}"
61+
security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
62+
security import "${{ env.INSTALLER_CERT_MAC_PATH }}" -k "${{ env.KEYCHAIN }}" -f pkcs12 -A -T /usr/bin/codesign -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}"
63+
security set-key-partition-list -S apple-tool:,apple: -s -k "${{ secrets.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
6464
6565
- name: Install gon for code signing and app notarization
6666
run: |
@@ -83,10 +83,10 @@ jobs:
8383
# so we need to add execution permission back until @v2 actions are released.
8484
chmod +x dist/arduino-cli_osx_darwin_amd64/arduino-cli
8585
PACKAGE_FILENAME="$(basename dist/arduino-cli_${{ github.workflow }}-*_macOS_64bit.tar.gz)"
86-
tar -czvf dist/$PACKAGE_FILENAME \
86+
tar -czvf "dist/$PACKAGE_FILENAME" \
8787
-C dist/arduino-cli_osx_darwin_amd64/ arduino-cli \
8888
-C ../../ LICENSE.txt
89-
CLI_CHECKSUM=$(shasum -a 256 dist/$PACKAGE_FILENAME | cut -d " " -f 1)
89+
CLI_CHECKSUM="$(shasum -a 256 "dist/$PACKAGE_FILENAME" | cut -d " " -f 1)"
9090
perl -pi -w -e "s/.*${PACKAGE_FILENAME}/${CLI_CHECKSUM} ${PACKAGE_FILENAME}/g;" dist/*-checksums.txt
9191
9292
- name: Upload artifacts

.github/workflows/release.yaml

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -58,12 +58,12 @@ jobs:
5858
KEYCHAIN: "sign.keychain"
5959
INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
6060
run: |
61-
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > ${{ env.INSTALLER_CERT_MAC_PATH }}
62-
security create-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
63-
security default-keychain -s ${{ env.KEYCHAIN }}
64-
security unlock-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
65-
security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
66-
security set-key-partition-list -S apple-tool:,apple: -s -k ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
61+
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}"
62+
security create-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
63+
security default-keychain -s "${{ env.KEYCHAIN }}"
64+
security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
65+
security import "${{ env.INSTALLER_CERT_MAC_PATH }}" -k "${{ env.KEYCHAIN }}" -f pkcs12 -A -T /usr/bin/codesign -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}"
66+
security set-key-partition-list -S apple-tool:,apple: -s -k "${{ secrets.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
6767
6868
- name: Install gon for code signing and app notarization
6969
run: |
@@ -85,11 +85,11 @@ jobs:
8585
# GitHub's upload/download-artifact@v1 actions don't preserve file permissions,
8686
# so we need to add execution permission back until @v2 actions are released.
8787
chmod +x dist/arduino-cli_osx_darwin_amd64/arduino-cli
88-
TAG=${GITHUB_REF/refs\/tags\//}
89-
tar -czvf dist/arduino-cli_${TAG}_macOS_64bit.tar.gz \
88+
TAG="${GITHUB_REF/refs\/tags\//}"
89+
tar -czvf "dist/arduino-cli_${TAG}_macOS_64bit.tar.gz" \
9090
-C dist/arduino-cli_osx_darwin_amd64/ arduino-cli \
9191
-C ../../ LICENSE.txt
92-
CLI_CHECKSUM=$(shasum -a 256 dist/arduino-cli_${TAG}_macOS_64bit.tar.gz | cut -d " " -f 1)
92+
CLI_CHECKSUM="$(shasum -a 256 "dist/arduino-cli_${TAG}_macOS_64bit.tar.gz" | cut -d " " -f 1)"
9393
perl -pi -w -e "s/.*arduino-cli_${TAG}_macOS_64bit.tar.gz/${CLI_CHECKSUM} arduino-cli_${TAG}_macOS_64bit.tar.gz/g;" dist/*-checksums.txt
9494
9595
- name: Upload artifacts
@@ -116,11 +116,11 @@ jobs:
116116
- name: Read CHANGELOG
117117
id: changelog
118118
run: |
119-
body=$(cat dist/CHANGELOG.md)
119+
body="$(cat dist/CHANGELOG.md)"
120120
body="${body//'%'/'%25'}"
121121
body="${body//$'\n'/'%0A'}"
122122
body="${body//$'\r'/'%0D'}"
123-
echo $body
123+
echo "$body"
124124
echo "::set-output name=BODY::$body"
125125
126126
- name: Identify Prerelease
@@ -130,7 +130,7 @@ jobs:
130130
run: |
131131
wget -q -P /tmp https://github.com/fsaintjacques/semver-tool/archive/3.0.0.zip
132132
unzip -p /tmp/3.0.0.zip semver-tool-3.0.0/src/semver >/tmp/semver && chmod +x /tmp/semver
133-
if [[ $(/tmp/semver get prerel ${GITHUB_REF/refs\/tags\//}) ]]; then echo "::set-output name=IS_PRE::true"; fi
133+
if [[ "$(/tmp/semver get prerel "${GITHUB_REF/refs\/tags\//}")" ]]; then echo "::set-output name=IS_PRE::true"; fi
134134
135135
- name: Create Github Release
136136
id: create_release

0 commit comments

Comments
 (0)