Skip to content

env key is ignored by shellcheck #573

New issue
New issue
Closed
Closed
env key is ignored by shellcheck#573
Labels
enhancementNew feature or requestfalse-positiveFalse positive
@ReenigneArcher

Description

@ReenigneArcher
ReenigneArcher
opened on Sep 23, 2025

Given the following snip (from LizardByte/.github#533, though I will likely have already worked around this error):

      - name: Test
        env:
          BRANCH: ${{ github.ref }}
          COMMIT: ${{ inputs.release_commit }}
        shell: bash
        run: |
          # get variables
          branch="${BRANCH}"
          commit="${COMMIT}"

I get the following output:

Error: .github/workflows/__call-docker.yml:154:9: shellcheck reported issue in this script: SC2153:info:2:9: Possible misspelling: BRANCH may not be assigned. Did you mean branch? [shellcheck]
    |
154 |         run: |
    |         ^~~~
Error: .github/workflows/__call-docker.yml:154:9: shellcheck reported issue in this script: SC2153:info:3:9: Possible misspelling: COMMIT may not be assigned. Did you mean commit? [shellcheck]
    |
154 |         run: |
    |         ^~~~
Error: Process completed with exit code 1.

I am moving the variables to the env block to prevent shell injection attacks as attackers can easily mess with CI if they are creative with their branch names.

Interestingly, I used the exact same pattern in this PR which did not have any errors with actionlint: https://github.com/LizardByte/Sunshine/pull/4266/files

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestfalse-positiveFalse positive

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions