From 64d8933bb8e87940477227f6900bef9c671c23c2 Mon Sep 17 00:00:00 2001
From: Radek Simko <radeksimko@users.noreply.github.com>
Date: Mon, 26 Jan 2026 15:44:53 +0000
Subject: [PATCH] github/equivalence-test: Ensure inputs are escaped (#38096)

* github/equivalence-test: Ensure inputs are escaped

Co-authored-by: jeevaratnamputla <132266626+jeevaratnamputla@users.noreply.github.com>

* Make GH_TOKEN passing more explicit and limited

---------

Co-authored-by: jeevaratnamputla <132266626+jeevaratnamputla@users.noreply.github.com>
---
 .github/actions/equivalence-test/action.yml   | 39 +++++++++++++------
 .github/workflows/equivalence-test-diff.yml   |  7 ++--
 .../equivalence-test-manual-update.yml        |  4 +-
 .github/workflows/equivalence-test-update.yml | 10 ++---
 4 files changed, 37 insertions(+), 23 deletions(-)

diff --git a/.github/actions/equivalence-test/action.yml b/.github/actions/equivalence-test/action.yml
index cbfc51505e..c0ceebce64 100644
--- a/.github/actions/equivalence-test/action.yml
+++ b/.github/actions/equivalence-test/action.yml
@@ -25,18 +25,26 @@ inputs:
   message:
     description: "Message to include in the commit."
     required: true
+  github-token:
+    description: "Token to use for PR creation."
+    required: true
+
 runs:
   using: "composite"
   steps:
 
     - name: "download equivalence test binary"
       shell: bash
+      env:
+        TARGET_VERSION: ${{ inputs.target-equivalence-test-version }}
+        TARGET_OS: ${{ inputs.target-os }}
+        TARGET_ARCH: ${{ inputs.target-arch }}
       run: |
         ./.github/scripts/equivalence-test.sh download_equivalence_test_binary \
-          ${{ inputs.target-equivalence-test-version }} \
+          "$TARGET_VERSION" \
           ./bin/equivalence-tests \
-          ${{ inputs.target-os }} \
-          ${{ inputs.target-arch }}
+          "$TARGET_OS" \
+          "$TARGET_ARCH"
 
     - name: Build terraform
       shell: bash
@@ -50,7 +58,7 @@ runs:
           --tests=testing/equivalence-tests/tests \
           --goldens=testing/equivalence-tests/outputs \
           --binary=$(pwd)/bin/terraform
-        
+
         git add --intent-to-add testing/equivalence-tests/outputs
         changed=$(git diff --quiet -- testing/equivalence-tests/outputs || echo true)
         echo "changed=$changed" >> "${GITHUB_OUTPUT}"
@@ -58,22 +66,31 @@ runs:
     - name: "branch, commit, and push changes"
       if: steps.execute.outputs.changed == 'true'
       shell: bash
+      env:
+        NEW_BRANCH: ${{ inputs.new-branch }}
+        # GitHub token w/ push permissions is inherited from the calling workflow here
       run: |
         git config user.name "hc-github-team-tf-core"
         git config user.email "github-team-tf-core@hashicorp.com"
-        git checkout -b ${{ inputs.new-branch }}
+        git checkout -b "$NEW_BRANCH"
         git add testing/equivalence-tests/outputs
         git commit -m "Update equivalence test golden files."
-        git push --set-upstream origin ${{ inputs.new-branch }}
-          
+        git push --set-upstream origin "$NEW_BRANCH"
+
     - name: "create pull request"
       if: steps.execute.outputs.changed == 'true'
       shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
+        CURRENT_BRANCH: ${{ inputs.current-branch }}
+        NEW_BRANCH: ${{ inputs.new-branch }}
+        PR_MESSAGE: ${{ inputs.message }}
+        PR_REVIEWERS: ${{ inputs.reviewers }}
       run: |
         gh pr create \
           --draft \
-          --base ${{ inputs.current-branch }} \
-          --head ${{ inputs.new-branch }} \
+          --base "$CURRENT_BRANCH" \
+          --head "$NEW_BRANCH" \
           --title "Update equivalence test golden files" \
-          --body '${{ inputs.message }}' \
-          --reviewer ${{ inputs.reviewers }}
+          --body "$PR_MESSAGE" \
+          --reviewer "$PR_REVIEWERS"
diff --git a/.github/workflows/equivalence-test-diff.yml b/.github/workflows/equivalence-test-diff.yml
index f02a3b42d4..82a78c7667 100644
--- a/.github/workflows/equivalence-test-diff.yml
+++ b/.github/workflows/equivalence-test-diff.yml
@@ -12,9 +12,6 @@ permissions:
   contents: read
   pull-requests: write
 
-env:
-  GH_TOKEN: ${{ github.token }}
-
 jobs:
   equivalence-test-diff:
     name: "Equivalence Test Diff"
@@ -60,6 +57,8 @@ jobs:
       - name: Equivalence tests failed
         if: steps.equivalence-tests.outputs.exit-code == 1 # 1 is the exit code for failure
         shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
           gh pr comment ${{ github.event.pull_request.number }} \
             --body "The equivalence tests failed. Please investigate [here](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})."
@@ -68,6 +67,8 @@ jobs:
       - name: Equivalence tests changed
         if: steps.equivalence-tests.outputs.exit-code == 2 # 2 is the exit code for changed
         shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
           gh pr comment ${{ github.event.pull_request.number }} \
             --body "The equivalence tests will be updated. Please verify the changes [here](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})."
diff --git a/.github/workflows/equivalence-test-manual-update.yml b/.github/workflows/equivalence-test-manual-update.yml
index 73b9dac1a6..4da533145d 100644
--- a/.github/workflows/equivalence-test-manual-update.yml
+++ b/.github/workflows/equivalence-test-manual-update.yml
@@ -21,9 +21,6 @@ permissions:
   contents: write
   pull-requests: write
 
-env:
-  GH_TOKEN: ${{ github.token }}
-
 jobs:
   run-equivalence-tests:
     name: "Run equivalence tests"
@@ -52,3 +49,4 @@ jobs:
           new-branch: ${{ inputs.new-branch }}
           reviewers: ${{ github.actor }}
           message: "Update equivalence test golden files."
+          github-token: ${{ github.token }}
diff --git a/.github/workflows/equivalence-test-update.yml b/.github/workflows/equivalence-test-update.yml
index a8ed0ac033..0b7fa47476 100644
--- a/.github/workflows/equivalence-test-update.yml
+++ b/.github/workflows/equivalence-test-update.yml
@@ -8,9 +8,6 @@ permissions:
   contents: write
   pull-requests: write
 
-env:
-  GH_TOKEN: ${{ github.token }}
-
 jobs:
   check:
     name: "Should run equivalence tests?"
@@ -23,19 +20,19 @@ jobs:
         run: |
           merged='${{ github.event.pull_request.merged }}'
           target_branch='${{ github.event.pull_request.base.ref }}'
-          
+
           targets_release_branch=false
           if [ "$target_branch" == "main" ]; then
             targets_release_branch=true
           elif [ "$target_branch" =~ ^v[0-9]+\.[0-9]+$ ]; then
             targets_release_branch=true
           fi
-          
+
           should_run=false
           if [ "$merged" == "true" ] && [ "$targets_release_branch" == "true" ]; then
             should_run=true
           fi
-          
+
           echo "should_run=$should_run" >> ${GITHUB_OUTPUT}
   run-equivalence-tests:
     name: "Run equivalence tests"
@@ -67,3 +64,4 @@ jobs:
           new-branch: equivalence-testing/${{ github.event.pull_request.head.ref }}
           reviewers: ${{ github.event.pull_request.merged_by.login }}
           message: "Update equivalence test golden files after ${{ github.event.pull_request.html_url }}."
+          github-token: ${{ github.token }}