Merge pull request #2397 from woocommerce/dev/avoid-gha-malicious-input

Avoid running malicious inputs as shell commands in the GitHub Actions

.github/workflows/e2e-tests.yml

@@ -50,14 +50,18 @@ jobs:
 
       - name: Install WP release candidate (optional)
         if: github.event.inputs.wp-rc-version != ''
+        env:
+          INPUT_WP_RC_VERSION: ${{ github.event.inputs.wp-rc-version }}
         run: |
-          npm run -- wp-env run tests-cli -- wp core update --version=${{ github.event.inputs.wp-rc-version }}
+          npm run -- wp-env run tests-cli -- wp core update --version="${INPUT_WP_RC_VERSION}"
           npm run -- wp-env run tests-cli -- wp core update-db
 
       - name: Install WC release candidate (optional)
         if: github.event.inputs.wc-rc-version != ''
+        env:
+          INPUT_WC_RC_VERSION: ${{ github.event.inputs.wc-rc-version }}
         run: |
-          npm run -- wp-env run tests-cli -- wp plugin update woocommerce --version=${{ github.event.inputs.wc-rc-version }}
+          npm run -- wp-env run tests-cli -- wp plugin update woocommerce --version="${INPUT_WC_RC_VERSION}"
           npm run -- wp-env run tests-cli -- wp wc update
 
       - name: Download and install Chromium browser.

.github/workflows/php-unit-tests.yml

@@ -132,7 +132,10 @@ jobs:
         uses: woocommerce/grow/prepare-mysql@actions-v1
 
       - name: Install WP tests
-        run: ./bin/install-wp-tests.sh wordpress_test root root localhost ${{ inputs.wp-rc-version }} ${{ inputs.wc-rc-version }}
+        env:
+          INPUT_WP_RC_VERSION: ${{ inputs.wp-rc-version }}
+          INPUT_WC_RC_VERSION: ${{ inputs.wc-rc-version }}
+        run: ./bin/install-wp-tests.sh wordpress_test root root localhost "${INPUT_WP_RC_VERSION}" "${INPUT_WC_RC_VERSION}"
 
       - name: Run PHP unit tests
         run: composer test-unit