From 81be26650ec72db4c359e114afb3901890337ca5 Mon Sep 17 00:00:00 2001
From: Jack Grigg <jack@electriccoin.co>
Date: Thu, 9 Jan 2025 16:38:43 +0000
Subject: [PATCH] CI: Fix potential template injection issues

---
 .github/actions/prepare/action.yml |  9 +++++++--
 .github/workflows/audits.yml       |  8 ++++++--
 .github/workflows/book.yml         |  4 +++-
 .github/workflows/ci.yml           | 13 ++++++++++---
 4 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/.github/actions/prepare/action.yml b/.github/actions/prepare/action.yml
index 9ac597d49..e51908432 100644
--- a/.github/actions/prepare/action.yml
+++ b/.github/actions/prepare/action.yml
@@ -20,7 +20,10 @@ runs:
       shell: bash
       run: echo "feature=test-dependencies" >> $GITHUB_OUTPUT
       if: inputs.test-dependencies == 'true'
-    - name: Prepare feature flags
+
+    # `steps.test.outputs.feature` cannot expand into attacker-controllable code
+    # because the previous step only enables it to have one of two fixed values.
+    - name: Prepare feature flags # zizmor: ignore[template-injection]
       id: prepare
       shell: bash
       run: >
@@ -34,6 +37,8 @@ runs:
         unstable
         unstable-serialization
         unstable-spanning-tree
-        ${{ inputs.extra-features }}
+        ${EXTRA_FEATURES}
         ${{ steps.test.outputs.feature }}
         '" >> $GITHUB_OUTPUT
+      env:
+        EXTRA_FEATURES: ${{ inputs.extra-features }}
diff --git a/.github/workflows/audits.yml b/.github/workflows/audits.yml
index bdac55418..ebcca1533 100644
--- a/.github/workflows/audits.yml
+++ b/.github/workflows/audits.yml
@@ -18,7 +18,9 @@ jobs:
           persist-credentials: false
       - uses: dtolnay/rust-toolchain@stable
         id: toolchain
-      - run: rustup override set ${{steps.toolchain.outputs.name}}
+      - run: rustup override set "${TOOLCHAIN}"
+        env:
+          TOOLCHAIN: ${{steps.toolchain.outputs.name}}
       - run: cargo install cargo-vet --version ~0.10
       - run: cargo vet --locked
 
@@ -43,4 +45,6 @@ jobs:
     steps:
       - name: Determine whether all required-pass steps succeeded
         run: |
-          echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all'
+          echo "${NEEDS}" | jq -e '[ .[] | .result == "success" ] | all'
+        env:
+          NEEDS: ${{ toJSON(needs) }}
diff --git a/.github/workflows/book.yml b/.github/workflows/book.yml
index 88bfede44..1fbcbf27a 100644
--- a/.github/workflows/book.yml
+++ b/.github/workflows/book.yml
@@ -16,7 +16,9 @@ jobs:
         uses: ./.github/actions/prepare
       - uses: dtolnay/rust-toolchain@nightly
         id: toolchain
-      - run: rustup override set ${{steps.toolchain.outputs.name}}
+      - run: rustup override set "${TOOLCHAIN}"
+        env:
+          TOOLCHAIN: ${{steps.toolchain.outputs.name}}
 
       - name: Build latest rustdocs
         run: >
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 85f125584..be5eabf5c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -248,7 +248,10 @@ jobs:
           key: ${{ runner.os }}-cargo-latest
       - uses: dtolnay/rust-toolchain@stable
         id: toolchain
-      - run: rustup override set ${{steps.toolchain.outputs.name}}
+      - run: rustup override set "${TOOLCHAIN}"
+        shell: sh
+        env:
+          TOOLCHAIN: ${{steps.toolchain.outputs.name}}
       - name: Remove lockfile to build with latest dependencies
         run: rm Cargo.lock
       - name: Build crates
@@ -383,7 +386,9 @@ jobs:
         uses: ./.github/actions/prepare
       - uses: dtolnay/rust-toolchain@beta
         id: toolchain
-      - run: rustup override set ${{steps.toolchain.outputs.name}}
+      - run: rustup override set "${TOOLCHAIN}"
+        env:
+          TOOLCHAIN: ${{steps.toolchain.outputs.name}}
       - name: Run Clippy (beta)
         uses: actions-rs/clippy-check@v1
         continue-on-error: true
@@ -535,4 +540,6 @@ jobs:
     steps:
       - name: Determine whether all required-pass steps succeeded
         run: |
-          echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all'
+          echo "${NEEDS}" | jq -e '[ .[] | .result == "success" ] | all'
+        env:
+          NEEDS: ${{ toJSON(needs) }}