From 7eb2f2823b360503c59d2432299e643462891ca0 Mon Sep 17 00:00:00 2001
From: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Date: Tue, 3 Mar 2026 18:25:22 +0100
Subject: [PATCH] fix(security): harden GitHub Actions workflows against
 expression injection

Move ${{ }} expressions from run: blocks into step-level env: blocks,
then reference them as properly-quoted shell variables.

Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
---
 .github/workflows/chaos-test-full.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/chaos-test-full.yml b/.github/workflows/chaos-test-full.yml
index 982212f..fb6de07 100644
--- a/.github/workflows/chaos-test-full.yml
+++ b/.github/workflows/chaos-test-full.yml
@@ -62,6 +62,8 @@ jobs:
           echo "✅ Prometheus is ready for chaos test"
 
       - name: Run Jepsen + Chaos test
+        env:
+          CHAOS_DURATION: ${{ inputs.chaos_duration || '300' }}
         run: |
           export KUBECONFIG=/tmp/cnpg-playground/k8s/kube-config.yaml
           export LITMUS_NAMESPACE=litmus
@@ -70,10 +72,10 @@ jobs:
           echo "=== Starting Jepsen + Chaos Test ==="
           echo "Cluster: pg-eu"
           echo "Namespace: app"
-          echo "Chaos duration: ${{ inputs.chaos_duration || '300' }} seconds"
+          echo "Chaos duration: ${CHAOS_DURATION} seconds"
           echo ""
 
-          ./scripts/run-jepsen-chaos-test.sh pg-eu app ${{ inputs.chaos_duration || '300' }}
+          ./scripts/run-jepsen-chaos-test.sh pg-eu app "${CHAOS_DURATION}"
 
       - name: Collect test results
         if: always()