From 31e2907aa024d282461faa5682f0931c57af0f04 Mon Sep 17 00:00:00 2001
From: Mynacol <mynacol@noreply.code.forgejo.org>
Date: Thu, 7 Aug 2025 17:59:21 +0000
Subject: [PATCH] Escape shell variables

I might have faced a problem caused by multiline release notes.
Irrespective of that, this commit fixes most of the shellcheck warnings.

At the tea invocation, `releaseType` may not be quoted to avoid an empty
argument for stable releases.
---
 action.yml         | 24 +++++++--------
 forgejo-release.sh | 76 +++++++++++++++++++++++-----------------------
 2 files changed, 50 insertions(+), 50 deletions(-)

diff --git a/action.yml b/action.yml
index f6725c7..aeafac5 100644
--- a/action.yml
+++ b/action.yml
@@ -69,9 +69,9 @@ runs:
         export FORGEJO="${{ inputs.url }}"
         # A trailing / will mean http://forgejo//api/v1 is used
         # and it always 401 as of v1.19, because of the double slash
-        FORGEJO=${FORGEJO%%/}
-        export SCHEME=${FORGEJO%://*}
-        export HOST=${FORGEJO#*://}
+        FORGEJO="${FORGEJO%%/}"
+        export SCHEME="${FORGEJO%://*}"
+        export HOST="${FORGEJO#*://}"
 
         export REPO="${{ inputs.repo }}"
 
@@ -84,18 +84,18 @@ runs:
         export PRERELEASE="${{ inputs.prerelease }}"
 
         export RELEASE_NOTES_ASSISTANT="${{ inputs.release-notes-assistant }}"
-        export RELEASE_NOTES_ASSISTANT_WORKDIR=${{ forge.action_path }}/rna
+        export RELEASE_NOTES_ASSISTANT_WORKDIR="${{ forge.action_path }}/rna"
 
         export HIDE_ARCHIVE_LINK="${{ inputs.hide-archive-link }}"
 
-        export TOKEN=${{ inputs.token }}
+        export TOKEN="${{ inputs.token }}"
 
         export RELEASE_DIR="${{ inputs.release-dir }}"
 
-        export RELEASENOTES=$(cat << 'EOF'
+        export RELEASENOTES="$(cat << 'EOF'
         ${{ inputs.release-notes }}
         EOF
-        )
+        )"
 
         export SHA="${{ inputs.sha }}"
 
@@ -105,12 +105,12 @@ runs:
 
         export RETRY="${{ inputs.download-retry }}"
 
-        export TMP_DIR=$(mktemp -d)
-        trap "rm -fr $TMP_DIR" EXIT
+        export TMP_DIR="$(mktemp -d)"
+        trap "rm -fr '$TMP_DIR'" EXIT
 
-        echo -n "${{ inputs.gpg-private-key }}" > $TMP_DIR/gpg-private-key
-        export GPG_PRIVATE_KEY=$TMP_DIR/gpg-private-key
-        echo -n "${{ inputs.gpg-passphrase }}" > $TMP_DIR/gpg-passphrase
+        echo -n "${{ inputs.gpg-private-key }}" > "$TMP_DIR/gpg-private-key"
+        export GPG_PRIVATE_KEY="$TMP_DIR/gpg-private-key"
+        echo -n "${{ inputs.gpg-passphrase }}" > "$TMP_DIR/gpg-passphrase"
         export GPG_PASSPHRASE="$TMP_DIR/gpg-passphrase"
 
         forgejo-release.sh ${{ inputs.direction }}
diff --git a/forgejo-release.sh b/forgejo-release.sh
index 041d1c4..030346c 100755
--- a/forgejo-release.sh
+++ b/forgejo-release.sh
@@ -5,19 +5,19 @@ set -e
 
 if ${VERBOSE:-false}; then set -x; fi
 
-: ${FORGEJO:=https://codeberg.org}
-: ${REPO:=forgejo-integration/forgejo}
-: ${TITLE:=$TAG}
-: ${RELEASE_DIR:=dist/release}
-: ${DOWNLOAD_LATEST:=false}
-: ${TMP_DIR:=$(mktemp -d)}
-: ${GNUPGHOME:=$TMP_DIR}
-: ${TEA_BIN:=$TMP_DIR/tea}
-: ${TEA_VERSION:=0.9.0}
-: ${OVERRIDE:=false}
-: ${HIDE_ARCHIVE_LINK:=false}
-: ${RETRY:=1}
-: ${DELAY:=10}
+: "${FORGEJO:=https://codeberg.org}"
+: "${REPO:=forgejo-integration/forgejo}"
+: "${TITLE:=$TAG}"
+: "${RELEASE_DIR:=dist/release}"
+: "${DOWNLOAD_LATEST:=false}"
+: "${TMP_DIR:=$(mktemp -d)}"
+: "${GNUPGHOME:=$TMP_DIR}"
+: "${TEA_BIN:=$TMP_DIR/tea}"
+: "${TEA_VERSION:=0.9.0}"
+: "${OVERRIDE:=false}"
+: "${HIDE_ARCHIVE_LINK:=false}"
+: "${RETRY:=1}"
+: "${DELAY:=10}"
 
 RELEASE_NOTES_ASSISTANT_VERSION=v1.4.0 # renovate: datasource=forgejo-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
 
@@ -29,16 +29,16 @@ export GNUPGHOME
 setup_tea() {
     if which tea 2>/dev/null; then
         TEA_BIN=$(which tea)
-    elif ! test -f $TEA_BIN; then
+    elif ! test -f "$TEA_BIN"; then
         ARCH=$(dpkg --print-architecture)
-        curl -sL https://dl.gitea.io/tea/$TEA_VERSION/tea-$TEA_VERSION-linux-"$ARCH" >$TEA_BIN
-        chmod +x $TEA_BIN
+        curl -sL "https://dl.gitea.io/tea/$TEA_VERSION/tea-$TEA_VERSION-linux-$ARCH" >"$TEA_BIN"
+        chmod +x "$TEA_BIN"
     fi
 }
 
 get_tag() {
     if ! test -f "$TAG_FILE"; then
-        if api GET repos/$REPO/tags/"$TAG_URL" >"$TAG_FILE"; then
+        if api GET "repos/$REPO/tags/$TAG_URL" >"$TAG_FILE"; then
             echo "tag $TAG exists"
         else
             echo "tag $TAG does not exists"
@@ -69,12 +69,12 @@ ensure_tag() {
 }
 
 create_tag() {
-    api POST repos/$REPO/tags --data-raw '{"tag_name": "'"$TAG"'", "target": "'"$SHA"'"}' >"$TAG_FILE"
+    api POST "repos/$REPO/tags" --data-raw '{"tag_name": "'"$TAG"'", "target": "'"$SHA"'"}' >"$TAG_FILE"
 }
 
 delete_tag() {
     if get_tag; then
-        api DELETE repos/$REPO/tags/"$TAG_URL"
+        api DELETE "repos/$REPO/tags/$TAG_URL"
         rm -f "$TAG_FILE"
     fi
 }
@@ -94,11 +94,11 @@ upload_release() {
         echo "Uploading as Stable"
     fi
     ensure_tag
-    if ! $TEA_BIN release create "${assets[@]}" --repo $REPO --note "$RELEASENOTES" --tag "$TAG" --title "$TITLE" --draft ${releaseType} >&"$TMP_DIR"/tea.log; then
+    if ! $TEA_BIN release create "${assets[@]}" --repo "$REPO" --note "$RELEASENOTES" --tag "$TAG" --title "$TITLE" --draft ${releaseType} >&"$TMP_DIR"/tea.log; then
         if grep --quiet 'Unknown API Error: 500' "$TMP_DIR"/tea.log && grep --quiet services/release/release.go:194 "$TMP_DIR"/tea.log; then
             echo "workaround v1.20 race condition https://codeberg.org/forgejo/forgejo/issues/1370"
             sleep 10
-            $TEA_BIN release create "${assets[@]}" --repo $REPO --note "$RELEASENOTES" --tag "$TAG" --title "$TITLE" --draft ${releaseType}
+            $TEA_BIN release create "${assets[@]}" --repo "$REPO" --note "$RELEASENOTES" --tag "$TAG" --title "$TITLE" --draft ${releaseType}
         else
             cat "$TMP_DIR"/tea.log
             return 1
@@ -111,17 +111,17 @@ upload_release() {
 release_draft() {
     local state="$1"
 
-    local id=$(api GET repos/$REPO/releases/tags/"$TAG_URL" | jq --raw-output .id)
+    local id=$(api GET "repos/$REPO/releases/tags/$TAG_URL" | jq --raw-output .id)
 
-    api PATCH repos/$REPO/releases/"$id" --data-raw '{"draft": '"$state"', "hide_archive_links": '$HIDE_ARCHIVE_LINK'}'
+    api PATCH "repos/$REPO/releases/$id" --data-raw '{"draft": '"$state"', "hide_archive_links": '"$HIDE_ARCHIVE_LINK"'}'
 }
 
 maybe_use_release_note_assistant() {
     if "$RELEASE_NOTES_ASSISTANT"; then
-        curl --fail -s -S -o rna https://code.forgejo.org/forgejo/release-notes-assistant/releases/download/$RELEASE_NOTES_ASSISTANT_VERSION/release-notes-assistant
+        curl --fail -s -S -o rna "https://code.forgejo.org/forgejo/release-notes-assistant/releases/download/$RELEASE_NOTES_ASSISTANT_VERSION/release-notes-assistant"
         chmod +x ./rna
-        mkdir -p $RELEASE_NOTES_ASSISTANT_WORKDIR
-        ./rna --workdir=$RELEASE_NOTES_ASSISTANT_WORKDIR --storage release --storage-location "$TAG" --token "$TOKEN" --forgejo-url "$SCHEME://$HOST" --repository $REPO --token "$TOKEN" release "$TAG"
+        mkdir -p "$RELEASE_NOTES_ASSISTANT_WORKDIR"
+        ./rna --workdir="$RELEASE_NOTES_ASSISTANT_WORKDIR" --storage release --storage-location "$TAG" --token "$TOKEN" --forgejo-url "$SCHEME://$HOST" --repository "$REPO" --token "$TOKEN" release "$TAG"
     fi
 }
 
@@ -130,12 +130,12 @@ sign_release() {
     if test -s "$GPG_PASSPHRASE"; then
         passphrase="--passphrase-file $GPG_PASSPHRASE"
     fi
-    gpg --import --no-tty --pinentry-mode loopback $passphrase "$GPG_PRIVATE_KEY"
+    gpg --import --no-tty --pinentry-mode loopback "$passphrase" "$GPG_PRIVATE_KEY"
     for asset in "$RELEASE_DIR"/*; do
         if [[ $asset =~ .sha256$ ]]; then
             continue
         fi
-        gpg --armor --detach-sign --no-tty --pinentry-mode loopback $passphrase <"$asset" >"$asset".asc
+        gpg --armor --detach-sign --no-tty --pinentry-mode loopback "$passphrase" <"$asset" >"$asset".asc
     done
 }
 
@@ -149,7 +149,7 @@ maybe_override() {
     if test "$OVERRIDE" = "false"; then
         return
     fi
-    api DELETE repos/$REPO/releases/tags/"$TAG_URL" >&/dev/null || true
+    api DELETE "repos/$REPO/releases/tags/$TAG_URL" >&/dev/null || true
     if get_tag && ! matched_tag; then
         delete_tag
     fi
@@ -159,7 +159,7 @@ upload() {
     setup_api
     setup_tea
     rm -f ~/.config/tea/config.yml
-    GITEA_SERVER_TOKEN=$TOKEN $TEA_BIN login add --url $FORGEJO
+    GITEA_SERVER_TOKEN=$TOKEN $TEA_BIN login add --url "$FORGEJO"
     maybe_sign_release
     maybe_override
     upload_release
@@ -178,13 +178,13 @@ api() {
     path=$1
     shift
 
-    curl --fail -X "$method" -sS -H "Content-Type: application/json" -H "Authorization: token $TOKEN" "$@" $FORGEJO/api/v1/"$path"
+    curl --fail -X "$method" -sS -H "Content-Type: application/json" -H "Authorization: token $TOKEN" "$@" "$FORGEJO/api/v1/$path"
 }
 
 wait_release() {
     local ready=false
-    for i in $(seq $RETRY); do
-        if api GET repos/$REPO/releases/tags/"$TAG_URL" | jq --raw-output .draft >"$TMP_DIR"/draft; then
+    for i in $(seq "$RETRY"); do
+        if api GET "repos/$REPO/releases/tags/$TAG_URL" | jq --raw-output .draft >"$TMP_DIR"/draft; then
             if test "$(cat "$TMP_DIR"/draft)" = "false"; then
                 ready=true
                 break
@@ -194,7 +194,7 @@ wait_release() {
             echo "release $TAG does not exist yet"
         fi
         echo "waiting $DELAY seconds"
-        sleep $DELAY
+        sleep "$DELAY"
     done
     if ! $ready; then
         echo "no release for $TAG"
@@ -205,15 +205,15 @@ wait_release() {
 download() {
     setup_api
     (
-        mkdir -p $RELEASE_DIR
-        cd $RELEASE_DIR
+        mkdir -p "$RELEASE_DIR"
+        cd "$RELEASE_DIR"
         if [[ ${DOWNLOAD_LATEST} == "true" ]]; then
             echo "Downloading the latest release"
-            api GET repos/$REPO/releases/latest >"$TMP_DIR"/assets.json
+            api GET "repos/$REPO/releases/latest" >"$TMP_DIR"/assets.json
         elif [[ ${DOWNLOAD_LATEST} == "false" ]]; then
             wait_release
             echo "Downloading tagged release ${TAG}"
-            api GET repos/$REPO/releases/tags/"$TAG_URL" >"$TMP_DIR"/assets.json
+            api GET "repos/$REPO/releases/tags/$TAG_URL" >"$TMP_DIR"/assets.json
         fi
         jq --raw-output '.assets[] | "\(.browser_download_url) \(.name)"' <"$TMP_DIR"/assets.json | while read url name; do # `name` may contain whitespace, therefore, it must be last
             url=$(echo "$url" | sed "s#/download/${TAG}/#/download/${TAG_URL}/#")