ci: harden workflow action input handling

2026-02-19 15:27:41 +01:00
parent efca61e3ac
commit 9130fd2b06
6 changed files with 132 additions and 9 deletions
--- a/.github/actions/setup-node-env/action.yml
+++ b/.github/actions/setup-node-env/action.yml
@@ -37,7 +37,7 @@ runs:
        exit 1

    - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
      with:
        node-version: ${{ inputs.node-version }}
        check-latest: true
@@ -70,14 +70,29 @@ runs:
      shell: bash
      env:
        CI: "true"
+        FROZEN_LOCKFILE: ${{ inputs.frozen-lockfile }}
      run: |
+        set -euo pipefail
        export PATH="$NODE_BIN:$PATH"
        which node
        node -v
        pnpm -v
-        LOCKFILE_FLAG=""
-        if [ "${{ inputs.frozen-lockfile }}" = "true" ]; then
-          LOCKFILE_FLAG="--frozen-lockfile"
+        case "$FROZEN_LOCKFILE" in
+          true) LOCKFILE_FLAG="--frozen-lockfile" ;;
+          false) LOCKFILE_FLAG="" ;;
+          *)
+            echo "::error::Invalid frozen-lockfile input: '$FROZEN_LOCKFILE' (expected true or false)"
+            exit 2
+            ;;
+        esac
+
+        install_args=(
+          install
+          --ignore-scripts=false
+          --config.engine-strict=false
+          --config.enable-pre-post-scripts=true
+        )
+        if [ -n "$LOCKFILE_FLAG" ]; then
+          install_args+=("$LOCKFILE_FLAG")
        fi
-        pnpm install $LOCKFILE_FLAG --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true || \
-        pnpm install $LOCKFILE_FLAG --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true
+        pnpm "${install_args[@]}" || pnpm "${install_args[@]}"