From ce707e1faaf1209958b6c0f5cd98c718733cd614 Mon Sep 17 00:00:00 2001
From: Eason Su <eason.su.tw@gmail.com>
Date: Fri, 10 May 2024 15:35:05 +0800
Subject: [PATCH] Avoid running malicious inputs as shell commands in the
 GitHub Actions.

---
 .github/workflows/e2e-tests.yml      | 8 ++++++--
 .github/workflows/php-unit-tests.yml | 5 ++++-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
index 583b7c345e..605321bf20 100644
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -50,14 +50,18 @@ jobs:
 
       - name: Install WP release candidate (optional)
         if: github.event.inputs.wp-rc-version != ''
+        env:
+          INPUT_WP_RC_VERSION: ${{ github.event.inputs.wp-rc-version }}
         run: |
-          npm run -- wp-env run tests-cli -- wp core update --version=${{ github.event.inputs.wp-rc-version }}
+          npm run -- wp-env run tests-cli -- wp core update --version="${INPUT_WP_RC_VERSION}"
           npm run -- wp-env run tests-cli -- wp core update-db
 
       - name: Install WC release candidate (optional)
         if: github.event.inputs.wc-rc-version != ''
+        env:
+          INPUT_WC_RC_VERSION: ${{ github.event.inputs.wc-rc-version }}
         run: |
-          npm run -- wp-env run tests-cli -- wp plugin update woocommerce --version=${{ github.event.inputs.wc-rc-version }}
+          npm run -- wp-env run tests-cli -- wp plugin update woocommerce --version="${INPUT_WC_RC_VERSION}"
           npm run -- wp-env run tests-cli -- wp wc update
 
       - name: Download and install Chromium browser.
diff --git a/.github/workflows/php-unit-tests.yml b/.github/workflows/php-unit-tests.yml
index d4b0facbaf..ad898c3bc7 100644
--- a/.github/workflows/php-unit-tests.yml
+++ b/.github/workflows/php-unit-tests.yml
@@ -132,7 +132,10 @@ jobs:
         uses: woocommerce/grow/prepare-mysql@actions-v1
 
       - name: Install WP tests
-        run: ./bin/install-wp-tests.sh wordpress_test root root localhost ${{ inputs.wp-rc-version }} ${{ inputs.wc-rc-version }}
+        env:
+          INPUT_WP_RC_VERSION: ${{ inputs.wp-rc-version }}
+          INPUT_WC_RC_VERSION: ${{ inputs.wc-rc-version }}
+        run: ./bin/install-wp-tests.sh wordpress_test root root localhost "${INPUT_WP_RC_VERSION}" "${INPUT_WC_RC_VERSION}"
 
       - name: Run PHP unit tests
         run: composer test-unit