fix(security): resolve CodeQL envvar-injection and code-injection alerts

- release.yml: remove unused VERSION env var from 'List build artifacts'
  step; switch all GITHUB_ENV writes to heredoc delimiter pattern (GHEOF)
  to prevent environment variable injection (actions/envvar-injection/critical)
- release.yml: move vars.SIGNPATH_ORG_ID and vars.SIGNPATH_PROJECT_SLUG
  to env block in signing step (proactive code-injection prevention)
- sign-artifacts.yml: move all ${{ }} expressions (inputs.*, vars.*,
  steps.*.outputs.*) from run blocks to env blocks
  (actions/code-injection/medium × 7)
- sign-artifacts.yml: pin signpath/github-action-submit-signing-request
  to SHA ced31329c0317e779dad2eec2a7c3bb46ea1343e (actions/unpinned-tag)

Resolves: EGS-LL CodeQL alerts #7-#15

Author: xaoscience

.github/workflows/release.yml

@@ -608,45 +608,63 @@ jobs:
 
       - name: List build artifacts
         if: steps.check_release.outputs.exists != 'true'
-        env:
-          VERSION: ${{ steps.version.outputs.version }}
         run: |
           if [[ ! -d "dist" ]]; then
             echo "⚠️ No dist/ directory - no tarballs were built"
-            SAFE_TARBALL_COUNT=$(printf '%s' "0" | tr -d '\n\r')
-            echo "tarball_count=${SAFE_TARBALL_COUNT}" >> $GITHUB_ENV
+            {
+              echo 'tarball_count<<GHEOF'
+              echo '0'
+              echo 'GHEOF'
+            } >> "$GITHUB_ENV"
             exit 0
           fi
-          
+
           echo "📦 Build artifacts:"
           ls -la dist/ || true
-          
+
           # Get main tarball info (first .tar.gz that's not a sub-package)
           TARBALL=$(ls dist/*.tar.gz 2>/dev/null | head -1 || echo "")
           if [[ -n "$TARBALL" ]]; then
-            # Sanitize values to a single line before exporting to GITHUB_ENV
             SAFE_TARBALL=$(printf '%s' "$TARBALL" | tr -d '\n\r')
             SAFE_TARBALL_NAME=$(basename "$SAFE_TARBALL" | tr -d '\n\r')
-            echo "tarball_path=${SAFE_TARBALL}" >> $GITHUB_ENV
-            echo "tarball_name=${SAFE_TARBALL_NAME}" >> $GITHUB_ENV
-            
+            {
+              echo 'tarball_path<<GHEOF'
+              printf '%s\n' "$SAFE_TARBALL"
+              echo 'GHEOF'
+              echo 'tarball_name<<GHEOF'
+              printf '%s\n' "$SAFE_TARBALL_NAME"
+              echo 'GHEOF'
+            } >> "$GITHUB_ENV"
+
             if [[ -f "${TARBALL}.sha256" ]]; then
               SHA256=$(cat "${TARBALL}.sha256" | awk '{print $1}')
               SAFE_SHA256=$(printf '%s' "$SHA256" | tr -d '\n\r')
-              echo "tarball_sha256=${SAFE_SHA256}" >> $GITHUB_ENV
+              {
+                echo 'tarball_sha256<<GHEOF'
+                printf '%s\n' "$SAFE_SHA256"
+                echo 'GHEOF'
+              } >> "$GITHUB_ENV"
               echo "🔐 Tarball SHA256: ${SAFE_SHA256}"
             fi
           fi
-          
+
           # Count all tarballs for summary
           TARBALL_COUNT=$(ls dist/*.tar.gz 2>/dev/null | wc -l || echo "0")
           SAFE_TARBALL_COUNT=$(printf '%s' "$TARBALL_COUNT" | tr -d '\n\r')
-          echo "tarball_count=${SAFE_TARBALL_COUNT}" >> $GITHUB_ENV
+          {
+            echo 'tarball_count<<GHEOF'
+            printf '%s\n' "$SAFE_TARBALL_COUNT"
+            echo 'GHEOF'
+          } >> "$GITHUB_ENV"
 
           # Count build workflow artifacts (non-tarball files)
           BUILD_ARTIFACT_COUNT=$(find dist/ -maxdepth 1 -type f ! -name "*.tar.gz" ! -name "*.sha256" ! -name "SHA256SUMS.txt" 2>/dev/null | wc -l || echo "0")
           SAFE_BUILD_ARTIFACT_COUNT=$(printf '%s' "$BUILD_ARTIFACT_COUNT" | tr -d '\n\r')
-          echo "build_artifact_count=${SAFE_BUILD_ARTIFACT_COUNT}" >> $GITHUB_ENV
+          {
+            echo 'build_artifact_count<<GHEOF'
+            printf '%s\n' "$SAFE_BUILD_ARTIFACT_COUNT"
+            echo 'GHEOF'
+          } >> "$GITHUB_ENV"
 
       # ========================================================================
       # CODE SIGNING: Authenticode signing via SignPath.io (optional)
@@ -672,9 +690,11 @@ jobs:
           && steps.build_workflows.outputs.has_builds == 'true'
         env:
           SIGNPATH_API_TOKEN: ${{ secrets.SIGNPATH_API_TOKEN }}
+          SIGNPATH_ORG_ID: ${{ vars.SIGNPATH_ORG_ID }}
+          SIGNPATH_PROJECT_SLUG: ${{ vars.SIGNPATH_PROJECT_SLUG }}
         run: |
-          ORG_ID="${{ vars.SIGNPATH_ORG_ID }}"
-          PROJECT="${{ vars.SIGNPATH_PROJECT_SLUG }}"
+          ORG_ID="${SIGNPATH_ORG_ID}"
+          PROJECT="${SIGNPATH_PROJECT_SLUG}"
           POLICY="release-signing"
           CONFIG="exe"
 

workflows-templates/release.yml

@@ -611,45 +611,63 @@ jobs:
 
       - name: List build artifacts
         if: steps.check_release.outputs.exists != 'true'
-        env:
-          VERSION: ${{ steps.version.outputs.version }}
         run: |
           if [[ ! -d "dist" ]]; then
             echo "⚠️ No dist/ directory - no tarballs were built"
-            SAFE_TARBALL_COUNT=$(printf '%s' "0" | tr -d '\n\r')
-            echo "tarball_count=${SAFE_TARBALL_COUNT}" >> $GITHUB_ENV
+            {
+              echo 'tarball_count<<GHEOF'
+              echo '0'
+              echo 'GHEOF'
+            } >> "$GITHUB_ENV"
             exit 0
           fi
-          
+
           echo "📦 Build artifacts:"
           ls -la dist/ || true
-          
+
           # Get main tarball info (first .tar.gz that's not a sub-package)
           TARBALL=$(ls dist/*.tar.gz 2>/dev/null | head -1 || echo "")
           if [[ -n "$TARBALL" ]]; then
-            # Sanitize values to a single line before exporting to GITHUB_ENV
             SAFE_TARBALL=$(printf '%s' "$TARBALL" | tr -d '\n\r')
             SAFE_TARBALL_NAME=$(basename "$SAFE_TARBALL" | tr -d '\n\r')
-            echo "tarball_path=${SAFE_TARBALL}" >> $GITHUB_ENV
-            echo "tarball_name=${SAFE_TARBALL_NAME}" >> $GITHUB_ENV
-            
+            {
+              echo 'tarball_path<<GHEOF'
+              printf '%s\n' "$SAFE_TARBALL"
+              echo 'GHEOF'
+              echo 'tarball_name<<GHEOF'
+              printf '%s\n' "$SAFE_TARBALL_NAME"
+              echo 'GHEOF'
+            } >> "$GITHUB_ENV"
+
             if [[ -f "${TARBALL}.sha256" ]]; then
               SHA256=$(cat "${TARBALL}.sha256" | awk '{print $1}')
               SAFE_SHA256=$(printf '%s' "$SHA256" | tr -d '\n\r')
-              echo "tarball_sha256=${SAFE_SHA256}" >> $GITHUB_ENV
+              {
+                echo 'tarball_sha256<<GHEOF'
+                printf '%s\n' "$SAFE_SHA256"
+                echo 'GHEOF'
+              } >> "$GITHUB_ENV"
               echo "🔐 Tarball SHA256: ${SAFE_SHA256}"
             fi
           fi
-          
+
           # Count all tarballs for summary
           TARBALL_COUNT=$(ls dist/*.tar.gz 2>/dev/null | wc -l || echo "0")
           SAFE_TARBALL_COUNT=$(printf '%s' "$TARBALL_COUNT" | tr -d '\n\r')
-          echo "tarball_count=${SAFE_TARBALL_COUNT}" >> $GITHUB_ENV
+          {
+            echo 'tarball_count<<GHEOF'
+            printf '%s\n' "$SAFE_TARBALL_COUNT"
+            echo 'GHEOF'
+          } >> "$GITHUB_ENV"
 
           # Count build workflow artifacts (non-tarball files)
           BUILD_ARTIFACT_COUNT=$(find dist/ -maxdepth 1 -type f ! -name "*.tar.gz" ! -name "*.sha256" ! -name "SHA256SUMS.txt" 2>/dev/null | wc -l || echo "0")
           SAFE_BUILD_ARTIFACT_COUNT=$(printf '%s' "$BUILD_ARTIFACT_COUNT" | tr -d '\n\r')
-          echo "build_artifact_count=${SAFE_BUILD_ARTIFACT_COUNT}" >> $GITHUB_ENV
+          {
+            echo 'build_artifact_count<<GHEOF'
+            printf '%s\n' "$SAFE_BUILD_ARTIFACT_COUNT"
+            echo 'GHEOF'
+          } >> "$GITHUB_ENV"
 
       # ========================================================================
       # CODE SIGNING: Authenticode signing via SignPath.io (optional)
@@ -675,9 +693,11 @@ jobs:
           && steps.build_workflows.outputs.has_builds == 'true'
         env:
           SIGNPATH_API_TOKEN: ${{ secrets.SIGNPATH_API_TOKEN }}
+          SIGNPATH_ORG_ID: ${{ vars.SIGNPATH_ORG_ID }}
+          SIGNPATH_PROJECT_SLUG: ${{ vars.SIGNPATH_PROJECT_SLUG }}
         run: |
-          ORG_ID="${{ vars.SIGNPATH_ORG_ID }}"
-          PROJECT="${{ vars.SIGNPATH_PROJECT_SLUG }}"
+          ORG_ID="${SIGNPATH_ORG_ID}"
+          PROJECT="${SIGNPATH_PROJECT_SLUG}"
           POLICY="release-signing"
           CONFIG="exe"
 

workflows-templates/sign-artifacts.yml

@@ -112,10 +112,14 @@ jobs:
     steps:
       - name: Check signing prerequisites
         id: preflight
+        env:
+          INPUT_PROJECT_SLUG: ${{ inputs.project_slug }}
+          VAR_PROJECT_SLUG: ${{ vars.SIGNPATH_PROJECT_SLUG }}
+          VAR_ORG_ID: ${{ vars.SIGNPATH_ORG_ID }}
         run: |
-          PROJECT="${{ inputs.project_slug }}"
-          [[ -z "$PROJECT" ]] && PROJECT="${{ vars.SIGNPATH_PROJECT_SLUG }}"
-          ORG_ID="${{ vars.SIGNPATH_ORG_ID }}"
+          PROJECT="${INPUT_PROJECT_SLUG}"
+          [[ -z "$PROJECT" ]] && PROJECT="${VAR_PROJECT_SLUG}"
+          ORG_ID="${VAR_ORG_ID}"
 
           if [[ -z "$ORG_ID" ]]; then
             echo "⚠️ SIGNPATH_ORG_ID not set — skipping code signing"
@@ -146,7 +150,7 @@ jobs:
       - name: Submit signing request
         id: sign
         if: steps.preflight.outputs.skip != 'true'
-        uses: signpath/github-action-submit-signing-request@v1
+        uses: signpath/github-action-submit-signing-request@ced31329c0317e779dad2eec2a7c3bb46ea1343e # v1
         with:
           api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
           organization-id: ${{ steps.preflight.outputs.org_id }}
@@ -168,14 +172,18 @@ jobs:
 
       - name: Report signing result
         if: always()
+        env:
+          PREFLIGHT_SKIP: ${{ steps.preflight.outputs.skip }}
+          SIGN_OUTCOME: ${{ steps.sign.outcome }}
+          ARTIFACT_NAME: ${{ inputs.artifact_name }}
         run: |
-          if [[ "${{ steps.preflight.outputs.skip }}" == "true" ]]; then
+          if [[ "$PREFLIGHT_SKIP" == "true" ]]; then
             echo "outcome=skipped" >> "$GITHUB_OUTPUT"
             echo "⏭️ Code signing was skipped (missing configuration)"
-          elif [[ "${{ steps.sign.outcome }}" == "success" ]]; then
+          elif [[ "$SIGN_OUTCOME" == "success" ]]; then
             echo "outcome=success" >> "$GITHUB_OUTPUT"
-            echo "✅ Artefact '${{ inputs.artifact_name }}' signed successfully"
+            echo "✅ Artefact '${ARTIFACT_NAME}' signed successfully"
           else
             echo "outcome=failure" >> "$GITHUB_OUTPUT"
-            echo "❌ Signing failed for '${{ inputs.artifact_name }}'"
+            echo "❌ Signing failed for '${ARTIFACT_NAME}'"
           fi