fix: tighten up shell arg quoting in GitHub workflows (#14864)

Inspired by the work done over in https://github.com/openai/codex-action/pull/74, this tightens up our use of GitHub expressions as shell/environment variables.
2026-04-30 03:12:20 +03:00 · 2026-03-16 22:01:16 -07:00
parent 8e34caffcc
commit 15ede607a0
6 changed files with 36 additions and 18 deletions
--- a/.github/actions/macos-code-sign/action.yml
+++ b/.github/actions/macos-code-sign/action.yml
@@ -117,6 +117,8 @@ runs:
    - name: Sign macOS binaries
      if: ${{ inputs.sign-binaries == 'true' }}
      shell: bash
+      env:
+        TARGET: ${{ inputs.target }}
      run: |
        set -euo pipefail

@@ -131,7 +133,7 @@ runs:
        fi

        for binary in codex codex-responses-api-proxy; do
-          path="codex-rs/target/${{ inputs.target }}/release/${binary}"
+          path="codex-rs/target/${TARGET}/release/${binary}"
          codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
        done

@@ -139,6 +141,7 @@ runs:
      if: ${{ inputs.sign-binaries == 'true' }}
      shell: bash
      env:
+        TARGET: ${{ inputs.target }}
        APPLE_NOTARIZATION_KEY_P8: ${{ inputs.apple-notarization-key-p8 }}
        APPLE_NOTARIZATION_KEY_ID: ${{ inputs.apple-notarization-key-id }}
        APPLE_NOTARIZATION_ISSUER_ID: ${{ inputs.apple-notarization-issuer-id }}
@@ -163,7 +166,7 @@ runs:

        notarize_binary() {
          local binary="$1"
-          local source_path="codex-rs/target/${{ inputs.target }}/release/${binary}"
+          local source_path="codex-rs/target/${TARGET}/release/${binary}"
          local archive_path="${RUNNER_TEMP}/${binary}.zip"

          if [[ ! -f "$source_path" ]]; then
@@ -184,6 +187,7 @@ runs:
      if: ${{ inputs.sign-dmg == 'true' }}
      shell: bash
      env:
+        TARGET: ${{ inputs.target }}
        APPLE_NOTARIZATION_KEY_P8: ${{ inputs.apple-notarization-key-p8 }}
        APPLE_NOTARIZATION_KEY_ID: ${{ inputs.apple-notarization-key-id }}
        APPLE_NOTARIZATION_ISSUER_ID: ${{ inputs.apple-notarization-issuer-id }}
@@ -206,7 +210,8 @@ runs:

        source "$GITHUB_ACTION_PATH/notary_helpers.sh"

-        dmg_path="codex-rs/target/${{ inputs.target }}/release/codex-${{ inputs.target }}.dmg"
+        dmg_name="codex-${TARGET}.dmg"
+        dmg_path="codex-rs/target/${TARGET}/release/${dmg_name}"

        if [[ ! -f "$dmg_path" ]]; then
          echo "dmg $dmg_path not found"
@@ -219,7 +224,7 @@ runs:
        fi

        codesign --force --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$dmg_path"
-        notarize_submission "codex-${{ inputs.target }}.dmg" "$dmg_path" "$notary_key_path"
+        notarize_submission "$dmg_name" "$dmg_path" "$notary_key_path"
        xcrun stapler staple "$dmg_path"

    - name: Remove signing keychain