ci: use environment variables to mitigate template injections

.github/workflows/cmake-linux.yml

@@ -44,6 +44,9 @@ jobs:
             version: 22
           - compiler: gcc
             version: 14
+    env:
+      COMPILER: "${{ matrix.compiler }}"
+      VERSION: "${{ matrix.version }}"
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -51,18 +54,18 @@ jobs:
 
       - name: Install clang ${{ matrix.version }}
         if: ${{ matrix.compiler == 'clang' }}
-        run: wget -qO - https://apt.llvm.org/llvm.sh | sudo bash -s -- ${{ matrix.version }} all
+        run: wget -qO - https://apt.llvm.org/llvm.sh | sudo bash -s -- ${VERSION} all
 
       - name: Configure
         run: |
-          if [[ "${{ matrix.compiler }}" == "clang" ]]; then
-            export CC=clang-${{ matrix.version }}
-            export CXX=clang++-${{ matrix.version }}
+          if [[ "${COMPILER}" == "clang" ]]; then
+            export CC=clang-${VERSION}
+            export CXX=clang++-${VERSION}
             export CXXFLAGS="-stdlib=libc++"
             export LDFLAGS="-fuse-ld=lld -rtlib=compiler-rt -unwindlib=libunwind"
           else
-            export CC=gcc-${{ matrix.version }}
-            export CXX=g++-${{ matrix.version }}
+            export CC=gcc-${VERSION}
+            export CXX=g++-${VERSION}
           fi
           cmake -B build -G Ninja -DCMAKE_BUILD_TYPE=Debug
 

.github/workflows/continuous-build-linux.yml

@@ -60,6 +60,8 @@ jobs:
           - riscv64-unknown-linux-musl
           - s390x-ibm-linux-musl
           - x86_64-unknown-linux-musl
+    env:
+      TOOLCHAIN: "${{ matrix.toolchain }}"
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -68,19 +70,20 @@ jobs:
 
       - name: Install cross toolchain
         run: |
-          wget -q -P /tmp https://github.com/cross-tools/musl-cross/releases/download/20260430/${{ matrix.toolchain }}.tar.xz
-          wget -q -P /tmp https://github.com/cross-tools/musl-cross/releases/download/20260430/${{ matrix.toolchain }}.tar.xz.sha256
+          wget -q -P /tmp https://github.com/cross-tools/musl-cross/releases/download/20260430/${TOOLCHAIN}.tar.xz
+          wget -q -P /tmp https://github.com/cross-tools/musl-cross/releases/download/20260430/${TOOLCHAIN}.tar.xz.sha256
           echo "$(cat /tmp/${{ matrix.toolchain }}.tar.xz.sha256) /tmp/${{ matrix.toolchain }}.tar.xz" | sha256sum --check --status
           mkdir -p /opt/x-tools/
-          tar -xf /tmp/${{ matrix.toolchain }}.tar.xz -C /opt/x-tools
+          tar -xf /tmp/${TOOLCHAIN}.tar.xz -C /opt/x-tools
 
       - name: Compile
-        run: CXX=/opt/x-tools/${{ matrix.toolchain }}/bin/${{ matrix.toolchain }}-g++ make STATIC=true STRIP=true
+        run: CXX=/opt/x-tools/${TOOLCHAIN}/bin/${TOOLCHAIN}-g++ make STATIC=true STRIP=true
 
       - name: Create binary artifacts
+        env:
+          GITHUB_SHA: "${{ github.sha }}"
         run: |
-          TOOLCHAIN=${{ matrix.toolchain }}
-          GIT_HASH=$(git rev-parse --short "${{ github.sha }}")
+          GIT_HASH=$(git rev-parse --short "${GITHUB_SHA}")
           FILENAME=btop-${TOOLCHAIN/linux-musl/}-$GIT_HASH
           mv bin/btop bin/$FILENAME
 

.github/workflows/continuous-build-macos.yml

@@ -56,10 +56,13 @@ jobs:
           brew install --force --overwrite gcc@15 lowdown
 
       - name: Compile
+        env:
+          RUNNER: "${{ matrix.os.runner }}"
+          VERSION: "${{ matrix.os.version }}"
         run: |
           make CXX=$(brew --prefix)/bin/g++-15
           GIT_HASH=$(git rev-parse --short "$GITHUB_SHA")
-          mv bin/btop bin/btop-arm64-${{ matrix.os.runner }}-${{ matrix.os.version }}-$GIT_HASH
+          mv bin/btop bin/btop-arm64-${RUNNER}-${VERSION}-$GIT_HASH
           ls -alh bin
 
       - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0