Merge pull request #2214 from Giskard-AI/feature/eng-1081-use-good-practices-for-ci-workflow-var-interpolation

fix(security): prevent command injection in GitHub Actions workflows [ENG-1131]

Author: mattbit

.github/workflows/create-release.yml

@@ -28,8 +28,10 @@ jobs:
           exit 1
 
       - name: Write release version env vars (with/without v)
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
         run: |
-          VERSION_NAME="v${{ inputs.version }}"
+          VERSION_NAME="v$INPUT_VERSION"
           VERSION_NUMBER="${VERSION_NAME:1}"
           echo "VERSION_NUMBER=${VERSION_NUMBER}" >> $GITHUB_ENV
           echo "VERSION_NAME=${VERSION_NAME}" >> $GITHUB_ENV

.github/workflows/retry-workflow.yml

@@ -14,6 +14,7 @@ jobs:
         env:
           GH_REPO: ${{ github.repository }}
           GH_TOKEN: ${{ github.token }}
+          RUN_ID: ${{ inputs.run_id }}
         run: |
-          gh run watch ${{ inputs.run_id }} > /dev/null 2>&1
-          gh run rerun ${{ inputs.run_id }} --failed
+          gh run watch "$RUN_ID" > /dev/null 2>&1
+          gh run rerun "$RUN_ID" --failed