Fix script injection issues

.github/actions/perform-static-analysis/action.yaml

@@ -16,13 +16,16 @@ runs:
     - name: 'Check prerequisites for performing static analysis'
       shell: bash
       id: check
-      run: echo "secret_exist=${{ inputs.sonar_token != '' }}" >> $GITHUB_OUTPUT
+      env:
+        SECRET_EXIST: ${{ inputs.sonar_token != '' }}
+      run: echo "secret_exist=${SECRET_EXIST}" >> $GITHUB_OUTPUT
     - name: 'Perform static analysis'
       shell: bash
       if: steps.check.outputs.secret_exist == 'true'
+      env:
+        SONAR_ORGANISATION_KEY: ${{ inputs.sonar_organisation_key }}
+        SONAR_PROJECT_KEY: ${{ inputs.sonar_project_key }}
+        SONAR_TOKEN: ${{ inputs.sonar_token }}
       run: |
         export BRANCH_NAME=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
-        export SONAR_ORGANISATION_KEY=${{ inputs.sonar_organisation_key }}
-        export SONAR_PROJECT_KEY=${{ inputs.sonar_project_key }}
-        export SONAR_TOKEN=${{ inputs.sonar_token }}
         ./scripts/reports/perform-static-analysis.sh

.github/actions/scan-dependencies/action.yaml

@@ -24,8 +24,9 @@ runs:
   steps:
     - name: 'Generate SBOM'
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/create-sbom-report.sh
     - name: 'Compress SBOM report'
       shell: bash
@@ -39,8 +40,9 @@ runs:
         retention-days: 21
     - name: 'Scan vulnerabilities'
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/scan-vulnerabilities.sh
     - name: 'Compress vulnerabilities report'
       shell: bash
@@ -55,7 +57,9 @@ runs:
     - name: 'Check prerequisites for sending the reports'
       shell: bash
       id: check
-      run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
+      env:
+        SECRETS_EXIST: ${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}
+      run: echo "secrets_exist=${SECRETS_EXIST}" >> $GITHUB_OUTPUT
     - name: 'Authenticate to send the reports'
       if: steps.check.outputs.secrets_exist == 'true'
       uses: aws-actions/configure-aws-credentials@v2
@@ -65,10 +69,13 @@ runs:
     - name: 'Send the SBOM and vulnerabilities reports to the central location'
       shell: bash
       if: steps.check.outputs.secrets_exist == 'true'
+      env:
+        BUILD_TIMESTAMP: ${{ inputs.build_timestamp }}
+        UPLOAD_BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
       run: |
         aws s3 cp \
           ./sbom-repository-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-sbom-repository-report.json.zip
+          "${UPLOAD_BUCKET_ENDPOINT}/${BUILD_TIMESTAMP}-sbom-repository-report.json.zip"
         aws s3 cp \
           ./vulnerabilities-repository-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-vulnerabilities-repository-report.json.zip
+          "${UPLOAD_BUCKET_ENDPOINT}/${BUILD_TIMESTAMP}-vulnerabilities-repository-report.json.zip"

.github/workflows/cicd-1-pull-request-closed.yaml

@@ -27,14 +27,17 @@ jobs:
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Call delete review app pipeline
+        env:
+          COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
           echo "Starting Azure devops pipeline \"Delete review app\"..."
           RUN_ID=$(az pipelines run \
-            --commit-id ${{ github.event.pull_request.head.sha }}\
+            --commit-id "${COMMIT_SHA}"\
             --name "Delete review app"\
             --org https://dev.azure.com/nhse-dtos \
             --project dtos-manage-breast-screening \
-            --parameters commitSHA=${{ github.event.pull_request.head.sha }} prNumber=${{ github.event.pull_request.number }} \
+            --parameters commitSHA="${COMMIT_SHA}" prNumber="${PR_NUMBER}" \
             --output tsv --query id)
 
           echo "See pipeline run in Azure devops: https://dev.azure.com/nhse-dtos/dtos-manage-breast-screening/_build/results?buildId=${RUN_ID}&view=results"

.github/workflows/cicd-2-main-branch.yaml

@@ -101,19 +101,24 @@ jobs:
     steps:
       - name: Determine failed stages
         id: failed_stages
+        env:
+          COMMIT_STAGE_RESULT: ${{ needs.commit-stage.result }}
+          TEST_STAGE_RESULT: ${{ needs.test-stage.result }}
+          BUILD_STAGE_RESULT: ${{ needs.build-stage.result }}
+          DEPLOY_STAGE_RESULT: ${{ needs.deploy-stage.result }}
         run: |
           failed_stages=""
 
-          if [[ "${{ needs.commit-stage.result }}" == "failure" ]]; then
+          if [[ "${COMMIT_STAGE_RESULT}" == "failure" ]]; then
             failed_stages="${failed_stages}• Commit stage\n"
           fi
-          if [[ "${{ needs.test-stage.result }}" == "failure" ]]; then
+          if [[ "${TEST_STAGE_RESULT}" == "failure" ]]; then
             failed_stages="${failed_stages}• Test stage\n"
           fi
-          if [[ "${{ needs.build-stage.result }}" == "failure" ]]; then
+          if [[ "${BUILD_STAGE_RESULT}" == "failure" ]]; then
             failed_stages="${failed_stages}• Build stage\n"
           fi
-          if [[ "${{ needs.deploy-stage.result }}" == "failure" ]]; then
+          if [[ "${DEPLOY_STAGE_RESULT}" == "failure" ]]; then
             failed_stages="${failed_stages}• Deploy stage (check workflow for environment)\n"
           fi
 

.github/workflows/stage-3-build.yaml

@@ -79,17 +79,23 @@ jobs:
             type=sha,format=long,prefix=git-sha-
 
       - name: Print commit SHA
-        run: echo "Commit SHA is ${{ inputs.commit_sha }}"
+        env:
+          COMMIT_SHA: ${{ inputs.commit_sha }}
+        run: echo "Commit SHA is ${COMMIT_SHA}"
 
       - name: Set branch environment variable (push)
         if: github.event_name == 'push'
         shell: bash
-        run: echo "GIT_BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV # GIT_BRANCH will be main for refs/heads/main
+        env:
+          GITHUB_REF_VALUE: ${{ github.ref }}
+        run: echo "GIT_BRANCH=${GITHUB_REF_VALUE##*/}" >> $GITHUB_ENV # GIT_BRANCH will be main for refs/heads/main
 
       - name: Set branch environment variable (pull_request)
         if: github.event_name == 'pull_request'
         shell: bash
-        run: echo "GIT_BRANCH=${GITHUB_HEAD_REF##*/}" >> $GITHUB_ENV
+        env:
+          GITHUB_HEAD_REF_VALUE: ${{ github.head_ref }}
+        run: echo "GIT_BRANCH=${GITHUB_HEAD_REF_VALUE##*/}" >> $GITHUB_ENV
 
       - name: Build and push Docker image
         id: push

.github/workflows/stage-4-deploy.yaml

@@ -39,30 +39,38 @@ jobs:
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Call deployment pipeline
+        env:
+          ENVIRONMENT: ${{ matrix.environment }}
+          COMMIT_SHA: ${{ inputs.commit_sha }}
+          PR_NUMBER: ${{ inputs.pr_number }}
         run: |
-          if [[ -n "${{inputs.pr_number}}" ]]; then
-            pr_argument="prNumber=${{inputs.pr_number}}"
+          if [[ -n "${PR_NUMBER}" ]]; then
+            pr_argument="prNumber=${PR_NUMBER}"
           else
             pr_argument=""
           fi
 
-          source infrastructure/environments/${{ matrix.environment }}/variables.sh
+          source "infrastructure/environments/${ENVIRONMENT}/variables.sh"
 
-          echo "Starting Azure devops pipeline \"Deploy to Azure - ${{ matrix.environment }}\"..."
+          echo "Starting Azure devops pipeline \"Deploy to Azure - ${ENVIRONMENT}\"..."
           RUN_ID=$(az pipelines run \
-            --commit-id ${{inputs.commit_sha}} \
-            --name "Deploy to Azure - ${{ matrix.environment }}" \
+            --commit-id "${COMMIT_SHA}" \
+            --name "Deploy to Azure - ${ENVIRONMENT}" \
             --org https://dev.azure.com/nhse-dtos \
             --project dtos-manage-breast-screening \
-            --parameters commitSHA=${{inputs.commit_sha}} ${pr_argument} environment=${{ matrix.environment }} pool=${ADO_MANAGEMENT_POOL} \
+            --parameters commitSHA="${COMMIT_SHA}" ${pr_argument} environment="${ENVIRONMENT}" pool="${ADO_MANAGEMENT_POOL}" \
             --output tsv --query id)
 
           echo "See pipeline run in Azure devops: https://dev.azure.com/nhse-dtos/dtos-manage-breast-screening/_build/results?buildId=${RUN_ID}&view=results"
 
           scripts/bash/wait_ado_pipeline.sh "$RUN_ID" https://dev.azure.com/nhse-dtos dtos-manage-breast-screening
 
       - name: Basic application smoke test
+        env:
+          ENVIRONMENT: ${{ matrix.environment }}
+          COMMIT_SHA: ${{ inputs.commit_sha }}
+          PR_NUMBER: ${{ inputs.pr_number }}
         run: |
-          dns_zone_name=$( grep dns_zone_name infrastructure/environments/${{ matrix.environment }}/variables.tfvars | awk -F'"' '{print $2}' )
-          use_apex_domain=$( grep use_apex_domain infrastructure/environments/${{ matrix.environment }}/variables.tfvars | awk '{print $3}' || echo "false" )
-          scripts/bash/container_app_smoke_test.sh "${{ matrix.environment }}" "${{ inputs.commit_sha }}" "${dns_zone_name}" "${{inputs.pr_number}}" "${use_apex_domain}"
+          dns_zone_name=$( grep dns_zone_name "infrastructure/environments/${ENVIRONMENT}/variables.tfvars" | awk -F'"' '{print $2}' )
+          use_apex_domain=$( grep use_apex_domain "infrastructure/environments/${ENVIRONMENT}/variables.tfvars" | awk '{print $3}' || echo "false" )
+          scripts/bash/container_app_smoke_test.sh "${ENVIRONMENT}" "${COMMIT_SHA}" "${dns_zone_name}" "${PR_NUMBER}" "${use_apex_domain}"