From 8109bf648358895bceb13a2d92925cd5e953f989 Mon Sep 17 00:00:00 2001
From: Olga Naydyonock <olga.naidjonoka@elastic.co>
Date: Wed, 6 Aug 2025 19:30:13 +0300
Subject: [PATCH 1/2] ci: fix semgrep reported run-shell-injection

---
 .github/workflows/maven-goal/action.yml   | 4 +++-
 .github/workflows/pre-post-release.yml    | 8 ++++++--
 .github/workflows/validate-tag/action.yml | 8 +++++---
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/maven-goal/action.yml b/.github/workflows/maven-goal/action.yml
index 7b8dbb96..854ebf92 100644
--- a/.github/workflows/maven-goal/action.yml
+++ b/.github/workflows/maven-goal/action.yml
@@ -25,5 +25,7 @@ runs:
         java-version-file: .java-version
         distribution: ${{ inputs.distribution }}
         cache: 'maven'
-    - run: ${{ inputs.command }}
+    - run: "$COMMAND"
       shell: ${{ inputs.shell }}
+      env:
+        COMMAND: ${{ inputs.command }}
\ No newline at end of file
diff --git a/.github/workflows/pre-post-release.yml b/.github/workflows/pre-post-release.yml
index eda93961..c9604bc6 100644
--- a/.github/workflows/pre-post-release.yml
+++ b/.github/workflows/pre-post-release.yml
@@ -99,10 +99,14 @@ jobs:
       - name: Push the ${{ inputs.phase }} release branch
         run: |
           git add --all
-          git commit -m "${{ inputs.phase }} release: ecs-logging-java v${{ env.RELEASE_VERSION }}"
+          git commit -m "$PHASE release: ecs-logging-java v${{ env.RELEASE_VERSION }}"
           git push origin ${{ env.BRANCH_NAME }}
+        env:
+          PHASE: ${{ inputs.phase }}
 
       - name: Create the ${{ inputs.phase }} release PR
-        run: gh pr create --title="${{ inputs.pr_title }}" --base main --head ${{ env.BRANCH_NAME }} -b "${{ inputs.pr_body }}"
+        run: gh pr create --title="$PR_TITLE" --base main --head ${{ env.BRANCH_NAME }} -b "$PR_BODY"
         env:
           GH_TOKEN: ${{ steps.get_token.outputs.token }}
+          PR_TITLE: ${{ inputs.pr_title }}
+          PR_BODY: ${{ inputs.pr_body }}
diff --git a/.github/workflows/validate-tag/action.yml b/.github/workflows/validate-tag/action.yml
index a982355e..ccd9f3ab 100644
--- a/.github/workflows/validate-tag/action.yml
+++ b/.github/workflows/validate-tag/action.yml
@@ -15,11 +15,13 @@ runs:
       id: validate-tag
       shell: 'bash'
       run: |
-        if ! [ $(echo "${{ inputs.tag }}" | grep -P "(\d{1,2})\.(\d{1,2})\.(\d{1,2})") ]; then
+        if ! [ $(echo "$TAG" | grep -P "(\d{1,2})\.(\d{1,2})\.(\d{1,2})") ]; then
           echo "Tag should be a SemVer format"
           exit 1
         fi
-        if [ $(git tag -l "${{ inputs.tag }}") ]; then
-          echo "The tag ${{ inputs.tag }} already exists"
+        if [ $(git tag -l "$TAG") ]; then
+          echo "The tag $TAG already exists"
           exit 1
         fi
+      env:
+        TAG: ${{ inputs.tag }}

From 73839c50eb789562768ffb6065161ba26d52b8d3 Mon Sep 17 00:00:00 2001
From: Olga Naydyonock <olga.naidjonoka@elastic.co>
Date: Mon, 11 Aug 2025 13:33:44 +0300
Subject: [PATCH 2/2] updated PR according to reviews

---
 .github/workflows/maven-goal/action.yml   | 2 +-
 .github/workflows/pre-post-release.yml    | 4 ++--
 .github/workflows/validate-tag/action.yml | 6 +++---
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/maven-goal/action.yml b/.github/workflows/maven-goal/action.yml
index 854ebf92..4cf9c6e9 100644
--- a/.github/workflows/maven-goal/action.yml
+++ b/.github/workflows/maven-goal/action.yml
@@ -25,7 +25,7 @@ runs:
         java-version-file: .java-version
         distribution: ${{ inputs.distribution }}
         cache: 'maven'
-    - run: "$COMMAND"
+    - run: "${COMMAND}"
       shell: ${{ inputs.shell }}
       env:
         COMMAND: ${{ inputs.command }}
\ No newline at end of file
diff --git a/.github/workflows/pre-post-release.yml b/.github/workflows/pre-post-release.yml
index c9604bc6..73226dac 100644
--- a/.github/workflows/pre-post-release.yml
+++ b/.github/workflows/pre-post-release.yml
@@ -99,13 +99,13 @@ jobs:
       - name: Push the ${{ inputs.phase }} release branch
         run: |
           git add --all
-          git commit -m "$PHASE release: ecs-logging-java v${{ env.RELEASE_VERSION }}"
+          git commit -m "${PHASE} release: ecs-logging-java v${{ env.RELEASE_VERSION }}"
           git push origin ${{ env.BRANCH_NAME }}
         env:
           PHASE: ${{ inputs.phase }}
 
       - name: Create the ${{ inputs.phase }} release PR
-        run: gh pr create --title="$PR_TITLE" --base main --head ${{ env.BRANCH_NAME }} -b "$PR_BODY"
+        run: gh pr create --title="${PR_TITLE}" --base main --head ${{ env.BRANCH_NAME }} -b "${PR_BODY}"
         env:
           GH_TOKEN: ${{ steps.get_token.outputs.token }}
           PR_TITLE: ${{ inputs.pr_title }}
diff --git a/.github/workflows/validate-tag/action.yml b/.github/workflows/validate-tag/action.yml
index ccd9f3ab..07e33d72 100644
--- a/.github/workflows/validate-tag/action.yml
+++ b/.github/workflows/validate-tag/action.yml
@@ -15,12 +15,12 @@ runs:
       id: validate-tag
       shell: 'bash'
       run: |
-        if ! [ $(echo "$TAG" | grep -P "(\d{1,2})\.(\d{1,2})\.(\d{1,2})") ]; then
+        if ! [ $(echo "${TAG}" | grep -P "(\d{1,2})\.(\d{1,2})\.(\d{1,2})") ]; then
           echo "Tag should be a SemVer format"
           exit 1
         fi
-        if [ $(git tag -l "$TAG") ]; then
-          echo "The tag $TAG already exists"
+        if [ $(git tag -l "${TAG}") ]; then
+          echo "The tag ${TAG} already exists"
           exit 1
         fi
       env: