From 99c0ff0c38b043c2b5209889ee384f75967be3e4 Mon Sep 17 00:00:00 2001
From: Larry Gritz <lg@larrygritz.com>
Date: Wed, 4 Mar 2026 17:14:15 -0800
Subject: [PATCH] ci: For security, replace some workflow substitutions with
 safer env substitutions

Signed-off-by: Larry Gritz <lg@larrygritz.com>
---
 .github/workflows/build-steps.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build-steps.yml b/.github/workflows/build-steps.yml
index a0e70070b..efb393e01 100644
--- a/.github/workflows/build-steps.yml
+++ b/.github/workflows/build-steps.yml
@@ -120,6 +120,8 @@ jobs:
       ABI_CHECK: ${{inputs.abi_check}}
       ACTIONS_RUNNER_FORCE_ACTIONS_NODE_VERSION: node16
       ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
+      SETENVS: ${{inputs.setenvs}}
+      DEPCMDS: ${{inputs.depcmds}}
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -128,7 +130,7 @@ jobs:
       - name: Build setup
         shell: bash
         run: |
-            ${{inputs.setenvs}}
+            eval "$SETENVS"
             src/build-scripts/ci-startup.bash
       - name: Prepare ccache timestamp
         id: ccache_cache_keys
@@ -150,7 +152,7 @@ jobs:
       - name: Dependencies
         shell: bash
         run: |
-            ${{inputs.depcmds}}
+            eval "$DEPCMDS"
             if [[ "$RUNNER_OS" == "Linux" ]]; then
                 src/build-scripts/gh-installdeps.bash
             elif [[ "$RUNNER_OS" == "macOS" ]]; then
@@ -212,10 +214,10 @@ jobs:
         run: |
             which sonar-scanner
             ls -l /__w/OpenShadingLanguage/OpenShadingLanguage/bw_output
-            echo "BUILD_OUTPUT_DIR is " "${{ env.BUILD_WRAPPER_OUT_DIR }}"
+            echo "BUILD_OUTPUT_DIR is ${BUILD_WRAPPER_OUT_DIR}"
             find . -name "*.gcov" -print
-            # sonar-scanner --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"
-            time sonar-scanner --define sonar.host.url="${{ env.SONAR_SERVER_URL }}" --define sonar.cfamily.build-wrapper-output="$BUILD_WRAPPER_OUT_DIR" --define sonar.cfamily.gcov.reportsPath="_coverage" --define sonar.cfamily.threads="$PARALLEL"
+            # sonar-scanner --define sonar.cfamily.build-wrapper-output="${BUILD_WRAPPER_OUT_DIR}"
+            time sonar-scanner --define sonar.host.url="${SONAR_SERVER_URL}" --define sonar.cfamily.build-wrapper-output="$BUILD_WRAPPER_OUT_DIR" --define sonar.cfamily.gcov.reportsPath="_coverage" --define sonar.cfamily.threads="$PARALLEL"
         # Consult https://docs.sonarcloud.io/advanced-setup/ci-based-analysis/sonarscanner-cli/ for more information and options
       - name: Check ABI
         if: inputs.abi_check != ''