Chore: standardize string quotes in workflow

forged-request · forged-request · commit f4e7dfece881 · 2026-01-09T09:50:24.000+01:00
Chore: standardize string quotes in workflow https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -4,22 +4,24 @@ on:
   workflow_call:
 
 permissions:
-  contents: read  # Checkout code
-  actions: write  # Save caches
+  contents: read # Checkout code
+  actions: write # Save caches
 
 jobs:
   install-build:
     runs-on: ubuntu-latest
     steps:
-      - name: 'Echo ref_name'
-        run: echo ${{ github.ref_name }}
-      - name: 'Checkout'
+      - name: "Echo ref_name"
+        env:
+          REF_NAME: ${{ github.ref_name }}
+        run: echo "$REF_NAME"
+      - name: "Checkout"
         uses: actions/checkout@v4
-      - name: 'Use NodeJS 20'
+      - name: "Use NodeJS 20"
         uses: actions/setup-node@v4
         with:
-          node-version: '20.11'
-          cache: 'npm'
+          node-version: "20.11"
+          cache: "npm"
       - name: Restore Cypress Binary
         uses: actions/cache/restore@v4
         id: restore-cypress
@@ -40,7 +42,7 @@ jobs:
           npm run build
       - name: List components folder
         run: ls -la packages/components
-      - name: Save Build folders        
+      - name: Save Build folders
         uses: actions/cache/save@v4
         with:
           path: |
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -4,7 +4,7 @@ on:
   workflow_call:
     inputs:
       publish-prelease:
-        description: 'Publish prerelease version of the current ref'
+        description: "Publish prerelease version of the current ref"
         default: false
         required: false
         type: boolean
@@ -19,18 +19,18 @@ jobs:
       contents: write
       id-token: write
     steps:
-      - name: 'Checkout'
+      - name: "Checkout"
         uses: actions/checkout@v4
         with:
           fetch-depth: 0 # Checkout all branches and tags, needed for publish
-      - name: 'Use NodeJS 20'
+      - name: "Use NodeJS 20"
         uses: actions/setup-node@v4
         with:
-          node-version: '20.11'
-          cache: 'npm'
+          node-version: "20.11"
+          cache: "npm"
       # Retrieve token from Vault and use in .npmrc for installing npm packages from the GitHub registry
       # See https://contentful.atlassian.net/wiki/spaces/ENG/pages/4396155213/Migrating+to+GitHub+Packages+from+npmjs?focusedCommentId=4431282518
-      - name: 'Retrieve NPM Token from Vault'
+      - name: "Retrieve NPM Token from Vault"
         id: vault
         uses: hashicorp/vault-action@v2.4.3
         with:
@@ -72,31 +72,35 @@ jobs:
       - name: Skip Publish if no changes
         if: ${{ steps.changed_packages.outputs.CHANGED_PACKAGES == '' }}
         run: echo "No changes to packages to publish, skipping publish step"
-      - name: 'Version and publish'
+      - name: "Version and publish"
         env:
           GITHUB_TOKEN: ${{ steps.vault.outputs.GITHUB_PACKAGES_WRITE_TOKEN }}
           # GH_TOKEN needed by lerna to create releases on github
           GH_TOKEN: ${{ steps.vault.outputs.GITHUB_PACKAGES_WRITE_TOKEN }}
+          ACTOR: ${{ github.actor }}
+          REF_NAME: ${{ github.ref_name }}
+          PUBLISH_PRERELEASE: ${{ inputs.publish-prelease }}
         if: ${{ steps.changed_packages.outputs.CHANGED_PACKAGES != '' }}
         run: |
-          git config user.name "${{ github.actor }}"
-          git config user.email "${{ github.actor}}@users.noreply.github.com"
+          git config user.name "$ACTOR"
+          git config user.email "$ACTOR@users.noreply.github.com"
 
-          if [ ${{ inputs.publish-prerelease }} ]; then
-            npx lerna publish --conventional-commits --conventional-prerelease --exact --force-publish --preid prerelease-$(date +%Y%m%dT%H%M)-$(git rev-parse HEAD | cut -c1-7) --no-changelog --no-push --yes --no-private --dist-tag prerelease --allow-branch ${{ github.ref_name }} --git-tag-command="echo 'skipping git tag for prereleases'"
-          elif [ ${{ github.ref_name }} = development ]; then
+          if [ "$PUBLISH_PRERELEASE" = "true" ]; then
+            npx lerna publish --conventional-commits --conventional-prerelease --exact --force-publish --preid prerelease-$(date +%Y%m%dT%H%M)-$(git rev-parse HEAD | cut -c1-7) --no-changelog --no-push --yes --no-private --dist-tag prerelease --allow-branch "$REF_NAME" --git-tag-command="echo 'skipping git tag for prereleases'"
+          elif [ "$REF_NAME" = "development" ]; then
             npx lerna publish --conventional-commits --conventional-prerelease --exact --force-publish --preid dev-$(date +%Y%m%dT%H%M)-$(git rev-parse HEAD | cut -c1-7) --dist-tag dev --no-changelog --no-push --yes --no-private --git-tag-command="echo 'skipping git tag for prereleases'"
-          elif [ ${{ github.ref_name }} = next ]; then
+          elif [ "$REF_NAME" = "next" ]; then
             npx lerna publish --conventional-commits --conventional-prerelease --exact --force-publish --preid beta --dist-tag next --no-changelog --yes --no-private --git-tag-command="echo 'skipping git tag for prereleases'"
           else
             npx lerna publish --conventional-commits --conventional-graduate --exact --force-publish --yes --no-private --dist-tag latest --create-release github
           fi
-      - name: 'Merge changes downstream'
-        if: ${{ !inputs.publish-prerelease }}
+      - name: "Merge changes downstream"
+        if: ${{ !inputs.publish-prelease }}
         env:
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          if [ ${{ github.ref_name }} = main ]; then
+          if [ "$REF_NAME" = "main" ]; then
             git checkout next
             git pull
             git rebase main
@@ -105,7 +109,7 @@ jobs:
             git pull
             git rebase next
             git push origin
-          elif [ ${{ github.ref_name }} = next ]; then
+          elif [ "$REF_NAME" = "next" ]; then
             git checkout development
             git pull
             git rebase next
diff --git a/.github/workflows/vercel.yaml b/.github/workflows/vercel.yaml
@@ -4,7 +4,7 @@ on:
   workflow_call:
     inputs:
       publish-web-apps-to-prod:
-        description: 'Publish web apps to prod'
+        description: "Publish web apps to prod"
         default: false
         required: false
         type: boolean
@@ -21,15 +21,15 @@ jobs:
       contents: write
       id-token: write
     steps:
-      - name: 'Checkout'
+      - name: "Checkout"
         uses: actions/checkout@v4
         with:
           fetch-depth: 0 # Checkout all branches and tags, needed for publish
-      - name: 'Use NodeJS 20'
+      - name: "Use NodeJS 20"
         uses: actions/setup-node@v4
         with:
-          node-version: '20.11'
-          cache: 'npm'
+          node-version: "20.11"
+          cache: "npm"
       - name: Install dependencies
         run: |
           npm ci
@@ -51,48 +51,57 @@ jobs:
       #   with:
       #     ## limits ssh access and adds the ssh public key for the user which triggered the workflow
       #     limit-access-to-actor: true
-      - name: 'Deploy vite test-app site to Vercel'
+      - name: "Deploy vite test-app site to Vercel"
         env:
           # Domain: experience-builder-test-app.colorfuldemo.com
           VERCEL_PROJECT_ID: prj_wr3mJgz9qLeHh33UaCFquePsr1hw
           VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
+          REF_NAME: ${{ github.ref_name }}
+          PUBLISH_TO_PROD: ${{ inputs.publish-web-apps-to-prod }}
+          VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}
         run: |
-          if [ ${{ github.ref_name }} = main ] || [ ${{ inputs.publish-web-apps-to-prod }} = true ]; then
-            vercel pull --yes --environment=production --token=${{ secrets.VERCEL_TOKEN }}
-            vercel build --prod --token=${{ secrets.VERCEL_TOKEN }}
-            vercel deploy --prod --prebuilt --token=${{ secrets.VERCEL_TOKEN }}
+          if [ "$REF_NAME" = "main" ] || [ "$PUBLISH_TO_PROD" = "true" ]; then
+            vercel pull --yes --environment=production --token="$VERCEL_TOKEN"
+            vercel build --prod --token="$VERCEL_TOKEN"
+            vercel deploy --prod --prebuilt --token="$VERCEL_TOKEN"
           else
-            vercel pull --yes --environment=preview --token=${{ secrets.VERCEL_TOKEN }}
-            vercel build --token=${{ secrets.VERCEL_TOKEN }}
-            vercel deploy --prebuilt --token=${{ secrets.VERCEL_TOKEN }}
+            vercel pull --yes --environment=preview --token="$VERCEL_TOKEN"
+            vercel build --token="$VERCEL_TOKEN"
+            vercel deploy --prebuilt --token="$VERCEL_TOKEN"
           fi
-      - name: 'Deploy nextjs-marketing-demo site to Vercel'
+      - name: "Deploy nextjs-marketing-demo site to Vercel"
         env:
           # Domain: studio-nextjs-marketing-demo.colorfuldemo.com
           VERCEL_PROJECT_ID: prj_CQ1K4Pbkx5SQq2Fi9c4ZPHloOv79
           VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
+          REF_NAME: ${{ github.ref_name }}
+          PUBLISH_TO_PROD: ${{ inputs.publish-web-apps-to-prod }}
+          VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}
         run: |
-          if [ ${{ github.ref_name }} = main ] || [ ${{ inputs.publish-web-apps-to-prod }} = true ]; then
-            vercel pull --yes --environment=production --token=${{ secrets.VERCEL_TOKEN }}
-            vercel build --prod --token=${{ secrets.VERCEL_TOKEN }}
-            vercel deploy --prod --prebuilt --token=${{ secrets.VERCEL_TOKEN }}
+          if [ "$REF_NAME" = "main" ] || [ "$PUBLISH_TO_PROD" = "true" ]; then
+            vercel pull --yes --environment=production --token="$VERCEL_TOKEN"
+            vercel build --prod --token="$VERCEL_TOKEN"
+            vercel deploy --prod --prebuilt --token="$VERCEL_TOKEN"
           else
-            vercel pull --yes --environment=preview --token=${{ secrets.VERCEL_TOKEN }}
-            vercel build --token=${{ secrets.VERCEL_TOKEN }}
-            vercel deploy --prebuilt --token=${{ secrets.VERCEL_TOKEN }}
+            vercel pull --yes --environment=preview --token="$VERCEL_TOKEN"
+            vercel build --token="$VERCEL_TOKEN"
+            vercel deploy --prebuilt --token="$VERCEL_TOKEN"
           fi
-      - name: 'Deploy react vite template site to Vercel'
+      - name: "Deploy react vite template site to Vercel"
         env:
           # Domain studio-react-vite-template.colorfuldemo.com
           VERCEL_PROJECT_ID: prj_HoAvIbgvZ3gYJDLCAaNsHIpBvI0k
           VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
+          REF_NAME: ${{ github.ref_name }}
+          PUBLISH_TO_PROD: ${{ inputs.publish-web-apps-to-prod }}
+          VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}
         run: |
-          if [ ${{ github.ref_name }} = main ] || [ ${{ inputs.publish-web-apps-to-prod }} = true ]; then
-            vercel pull --yes --environment=production --token=${{ secrets.VERCEL_TOKEN }}
-            vercel build --prod --token=${{ secrets.VERCEL_TOKEN }}
-            vercel deploy --prod --prebuilt --token=${{ secrets.VERCEL_TOKEN }}
+          if [ "$REF_NAME" = "main" ] || [ "$PUBLISH_TO_PROD" = "true" ]; then
+            vercel pull --yes --environment=production --token="$VERCEL_TOKEN"
+            vercel build --prod --token="$VERCEL_TOKEN"
+            vercel deploy --prod --prebuilt --token="$VERCEL_TOKEN"
           else
-            vercel pull --yes --environment=preview --token=${{ secrets.VERCEL_TOKEN }}
-            vercel build --token=${{ secrets.VERCEL_TOKEN }}
-            vercel deploy --prebuilt --token=${{ secrets.VERCEL_TOKEN }}
+            vercel pull --yes --environment=preview --token="$VERCEL_TOKEN"
+            vercel build --token="$VERCEL_TOKEN"
+            vercel deploy --prebuilt --token="$VERCEL_TOKEN"
           fi
