build_latest_release_multi.yml fix remaining actionlint/shellcheck warnings

Author: vszakats

.github/workflows/build_latest_release_multi.yml

@@ -53,11 +53,11 @@ jobs:
       - name: 'set env vars'
         run: |
           release_tag_redirect=$(curl -s https://github.com/curl/curl/releases/latest -w'%{redirect_url}\n' -o /dev/null)
-          latest_release_ref=$(basename ${release_tag_redirect})
-          echo "TAG_REF=$latest_release_ref" >> $GITHUB_ENV
+          latest_release_ref=$(basename "${release_tag_redirect}")
+          echo "TAG_REF=$latest_release_ref" >> "$GITHUB_ENV"
           rel=${latest_release_ref:5}
           release_image_tag="${rel//_/.}"
-          echo "REL=$release_image_tag" >> $GITHUB_ENV
+          echo "REL=$release_image_tag" >> "$GITHUB_ENV"
       - name: 'build multi image'
         run: buildah unshare make branch_or_ref="$TAG_REF" release_tag="$REL" multibuild
       - name: 'test image'
@@ -67,11 +67,11 @@ jobs:
       - name: 'security scan image'
         run: |
           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
-          make image_name=localhost/curl-multi:$REL scan
+          make image_name=localhost/curl-multi:"$REL" scan
       - name: 'push images to github registry'
         run: |
-          buildah manifest push --format v2s2 --all curl-multi:$REL "docker://ghcr.io/curl/curl-container/curl-multi:$REL"
-          buildah manifest push --format v2s2 --all curl-base-multi:$REL "docker://ghcr.io/curl/curl-container/curl-base-multi:$REL"
+          buildah manifest push --format v2s2 --all curl-multi:"$REL" docker://ghcr.io/curl/curl-container/curl-multi:"$REL"
+          buildah manifest push --format v2s2 --all curl-base-multi:"$REL" docker://ghcr.io/curl/curl-container/curl-base-multi:"$REL"
       - name: 'install Cosign'
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
       - name: 'write signing key to disk (only needed for `cosign sign --key`)'
@@ -82,49 +82,49 @@ jobs:
         env:
           COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}'
         run: |
-          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-multi:$REL
-          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base-multi:$REL
+          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-multi:"$REL"
+          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base-multi:"$REL"
       - name: 'verify image with public key'
         run: |
-          cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:$REL
-          cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base-multi:$REL
+          cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:"$REL"
+          cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base-multi:"$REL"
       - name: 'push release to docker hub'
         run: |
-          buildah manifest push --format v2s2 --all localhost/curl-multi:$REL "docker://docker.io/curlimages/curl:$REL"
-          buildah manifest push --format v2s2 --all localhost/curl-multi:$REL "docker://docker.io/curlimages/curl:latest"
-          buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://docker.io/curlimages/curl-base:$REL"
-          buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://docker.io/curlimages/curl-base:latest"
+          buildah manifest push --format v2s2 --all localhost/curl-multi:"$REL" docker://docker.io/curlimages/curl:"$REL"
+          buildah manifest push --format v2s2 --all localhost/curl-multi:"$REL" docker://docker.io/curlimages/curl:latest
+          buildah manifest push --format v2s2 --all localhost/curl-base-multi:"$REL" docker://docker.io/curlimages/curl-base:"$REL"
+          buildah manifest push --format v2s2 --all localhost/curl-base-multi:"$REL" docker://docker.io/curlimages/curl-base:latest
       - name: 'sign images with a sigstore key'
         env:
           COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}'
         run: |
-          cosign sign -y --key cosign.key docker.io/curlimages/curl:$REL
+          cosign sign -y --key cosign.key docker.io/curlimages/curl:"$REL"
           cosign sign -y --key cosign.key docker.io/curlimages/curl:latest
-          cosign sign -y --key cosign.key docker.io/curlimages/curl-base:$REL
+          cosign sign -y --key cosign.key docker.io/curlimages/curl-base:"$REL"
           cosign sign -y --key cosign.key docker.io/curlimages/curl-base:latest
       - name: 'verify image with public key'
         run: |
-          cosign verify --key cosign.pub docker.io/curlimages/curl:$REL
+          cosign verify --key cosign.pub docker.io/curlimages/curl:"$REL"
           cosign verify --key cosign.pub docker.io/curlimages/curl:latest
-          cosign verify --key cosign.pub docker.io/curlimages/curl-base:$REL
+          cosign verify --key cosign.pub docker.io/curlimages/curl-base:"$REL"
           cosign verify --key cosign.pub docker.io/curlimages/curl-base:latest
       - name: 'push release to quay.io'
         run: |
-          buildah manifest push --format v2s2 --all localhost/curl-multi:$REL "docker://quay.io/curl/curl:$REL"
-          buildah manifest push --format v2s2 --all localhost/curl-multi:$REL "docker://quay.io/curl/curl:latest"
-          buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://quay.io/curl/curl-base:$REL"
-          buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://quay.io/curl/curl-base:latest"
+          buildah manifest push --format v2s2 --all localhost/curl-multi:"$REL" docker://quay.io/curl/curl:"$REL"
+          buildah manifest push --format v2s2 --all localhost/curl-multi:"$REL" docker://quay.io/curl/curl:latest
+          buildah manifest push --format v2s2 --all localhost/curl-base-multi:"$REL" docker://quay.io/curl/curl-base:"$REL"
+          buildah manifest push --format v2s2 --all localhost/curl-base-multi:"$REL" docker://quay.io/curl/curl-base:latest
       - name: 'sign images with a sigstore key'
         env:
           COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}'
         run: |
-          cosign sign -y --key cosign.key quay.io/curl/curl:$REL
+          cosign sign -y --key cosign.key quay.io/curl/curl:"$REL"
           cosign sign -y --key cosign.key quay.io/curl/curl:latest
-          cosign sign -y --key cosign.key quay.io/curl/curl-base:$REL
+          cosign sign -y --key cosign.key quay.io/curl/curl-base:"$REL"
           cosign sign -y --key cosign.key quay.io/curl/curl-base:latest
       - name: 'verify image with public key'
         run: |
-          cosign verify --key cosign.pub quay.io/curl/curl:$REL
+          cosign verify --key cosign.pub quay.io/curl/curl:"$REL"
           cosign verify --key cosign.pub quay.io/curl/curl:latest
-          cosign verify --key cosign.pub quay.io/curl/curl-base:$REL
+          cosign verify --key cosign.pub quay.io/curl/curl-base:"$REL"
           cosign verify --key cosign.pub quay.io/curl/curl-base:latest