From b740f24e716f0bf13b84474987fcd20396f68465 Mon Sep 17 00:00:00 2001
From: Letro Bot <noreply@letro.com>
Date: Sun, 26 Apr 2026 13:16:20 +0330
Subject: [PATCH] fix: pass bake metadata via env var to avoid shell injection

---
 .github/workflows/build.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index b3f60fdb9..cd9cb0368 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -285,9 +285,11 @@ jobs:
         # This transforms the ouput to an object which looks like this:
         # { reguar: { digest: "…", tags: ["…", "…"] }, debug: { digest: "…", tags: ["…"] }, … }
         id: output
+        env:
+          BAKE_METADATA: ${{ steps.bake.outputs.metadata }}
         run: |
           echo 'metadata<<EOF' >> $GITHUB_OUTPUT
-          echo '${{ steps.bake.outputs.metadata }}' | jq -c 'with_entries(select(.value | (type == "object" and has("containerimage.digest")))) | map_values({ digest: .["containerimage.digest"], tags: (.["image.name"] | split(",")) })' >> $GITHUB_OUTPUT
+          echo "$BAKE_METADATA" | jq -c 'with_entries(select(.value | (type == "object" and has("containerimage.digest")))) | map_values({ digest: .["containerimage.digest"], tags: (.["image.name"] | split(",")) })' >> $GITHUB_OUTPUT
           echo 'EOF' >> $GITHUB_OUTPUT
 
       - name: Sign the images with GitHub Actions provided token