From 296789da22d638ae5855c3f900b3b5e7c86d3be7 Mon Sep 17 00:00:00 2001
From: AleksanderSklorz <115619721+AleksanderSklorz@users.noreply.github.com>
Date: Thu, 25 Sep 2025 10:50:08 +0200
Subject: [PATCH] [ACS-10124] Fix Change this action to not use user-controlled
 data directly in a run block sonar issue (#4810)

* [ACS-10124] Fix Change this action to not use user-controlled data directly in a run block sonar issue

* [ACS-10124] Corrected typo
---
 .github/actions/get-image-tag/action.yml           | 7 +++++--
 .github/actions/git-tag/action.yml                 | 7 +++++--
 .github/actions/run-e2e-playwright/action.yml      | 6 ++++--
 .github/actions/setup/action.yml                   | 6 ++++--
 .github/actions/update-library-versions/action.yml | 4 +++-
 5 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/.github/actions/get-image-tag/action.yml b/.github/actions/get-image-tag/action.yml
index 6c2e2492b..3be793bcf 100644
--- a/.github/actions/get-image-tag/action.yml
+++ b/.github/actions/get-image-tag/action.yml
@@ -11,10 +11,13 @@ runs:
   steps:
     - name: Get docker image tag name
       shell: bash
+      env:
+        BRANCH_NAME: ${{ inputs.branch_name }}
+        RUN_ID: ${{ github.run_id }}
       run: |
-        if [[ "${{ inputs.branch_name }}" == "master" ]] || [[ "${{ inputs.branch_name }}" == release/* ]]; then
+        if [[ "$BRANCH_NAME" == "master" ]] || [[ "$BRANCH_NAME" == release/* ]]; then
           TAG_VERSION="$(jq -cr '.version' < package.json)"
         else
-          TAG_VERSION="${{ inputs.branch_name }}-${{ github.run_id }}"
+          TAG_VERSION="${BRANCH_NAME}-${RUN_ID}"
         fi
         echo "TAG_VERSION=$TAG_VERSION" >> $GITHUB_ENV
diff --git a/.github/actions/git-tag/action.yml b/.github/actions/git-tag/action.yml
index 96fe6b3d9..9da477331 100644
--- a/.github/actions/git-tag/action.yml
+++ b/.github/actions/git-tag/action.yml
@@ -17,8 +17,11 @@ runs:
   steps:
     - name: publish tag
       shell: bash
+      env:
+        BRANCH_NAME: ${{ inputs.branch_name }}
+        GITHUB_TOKEN: ${{ inputs.github_token }}
       run: |
-        if [[  "${{ inputs.branch_name }}" == "master" ]] || [[ "${{ inputs.branch_name }}" == release/* ]]; then
+        if [[  "$BRANCH_NAME" == "master" ]] || [[ "$BRANCH_NAME" == release/* ]]; then
           VERSION=$(jq -cr '.version' < package.json)
           echo "git tag -a ${VERSION} -m ${VERSION}"
 
@@ -28,7 +31,7 @@ runs:
               if [[ "${{ inputs.dry-run }}" != "true" ]]; then
                 git tag -a ${VERSION} -m "${VERSION} [ci skip] "
                 git remote rm origin
-                GITHUB_REPO=https://${{ inputs.github_token }}:x-oauth-basic@github.com/Alfresco/alfresco-content-app.git
+                GITHUB_REPO=https://$GITHUB_TOKEN:x-oauth-basic@github.com/Alfresco/alfresco-content-app.git
                 git remote add origin $GITHUB_REPO
                 git push origin --tags
               fi
diff --git a/.github/actions/run-e2e-playwright/action.yml b/.github/actions/run-e2e-playwright/action.yml
index 498bf7e3c..0b35580fb 100644
--- a/.github/actions/run-e2e-playwright/action.yml
+++ b/.github/actions/run-e2e-playwright/action.yml
@@ -19,6 +19,8 @@ runs:
 
     - name: Setup and run with options
       shell: bash
+      env:
+        OPTIONS: ${{ inputs.options }}
       run: |
         npm start > /dev/null &\
 
@@ -29,5 +31,5 @@ runs:
         done
         printf "\nApplication is ready.\n"
 
-        echo "Running playwright tests with options ${{ inputs.options }}"
-        E2E_TARGET=${{ inputs.options }} npm run ci:e2e
+        echo "Running playwright tests with options $OPTIONS"
+        E2E_TARGET=$OPTIONS npm run ci:e2e
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
index e6a2289d5..6cf816a7f 100644
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -22,9 +22,11 @@ runs:
     - uses: Alfresco/alfresco-build-tools/.github/actions/get-branch-name@v8.33.0
     - name: set TAG_NPM
       shell: bash
+      env:
+        NPM_TAG: ${{ inputs.npm_tag }}
       run: |
-        if [[ -n "${{ inputs.npm_tag }}" ]]; then
-          TAG_NPM=${{ inputs.npm_tag }}
+        if [[ -n "$NPM_TAG" ]]; then
+          TAG_NPM=$NPM_TAG
         else
           TAG_NPM="alpha"
           VERSION_IN_PACKAGE_JSON=$(jq -cr '.version' < package.json)
diff --git a/.github/actions/update-library-versions/action.yml b/.github/actions/update-library-versions/action.yml
index 0a8d35880..a5a7d6fb0 100644
--- a/.github/actions/update-library-versions/action.yml
+++ b/.github/actions/update-library-versions/action.yml
@@ -14,10 +14,12 @@ runs:
   steps:
     - name: Update Versions
       shell: bash
+      env:
+        BRANCH_NAME: ${{ inputs.branch_name }}
       run: |
         VERSION_IN_PACKAGE_JSON=$(jq -cr '.version' < package.json)
 
-        if [[ ${{ inputs.branch_name }} =~ ^master.*?$ ]] || [[ "${{ inputs.branch_name }}" == release/* ]] ; then
+        if [[ $BRANCH_NAME =~ ^master.*?$ ]] || [[ "$BRANCH_NAME" == release/* ]] ; then
           NEW_LIBRARY_VERSION="$VERSION_IN_PACKAGE_JSON"
         else
           NEW_LIBRARY_VERSION="${VERSION_IN_PACKAGE_JSON}-${{ github.run_id }}"