From 6d16be4669655e3ee996b2b6f4110187601d8244 Mon Sep 17 00:00:00 2001 From: Marcel Date: Tue, 12 May 2026 09:25:51 +0200 Subject: [PATCH] fix(ci): quote \$RESOLVE in all curl calls Unquoted variable expansion is safe here since the value contains no spaces or glob characters, but quoting is the correct default and keeps the script consistent with surrounding style. Addresses review suggestion by Felix Brandt and Tobias Wendt. Co-Authored-By: Claude Sonnet 4.6 --- .gitea/workflows/nightly.yml | 8 ++++---- .gitea/workflows/release.yml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml index 5e57c6e4..7bc67a0e 100644 --- a/.gitea/workflows/nightly.yml +++ b/.gitea/workflows/nightly.yml @@ -173,18 +173,18 @@ jobs: [ -n "$HOST_IP" ] || { echo "ERROR: could not detect Docker bridge gateway via 'ip route'"; exit 1; } RESOLVE="--resolve $HOST:443:$HOST_IP" echo "Smoke test: $URL (pinned to $HOST_IP via bridge gateway)" - curl -fsS $RESOLVE --max-time 10 "$URL/login" -o /dev/null + curl -fsS "$RESOLVE" --max-time 10 "$URL/login" -o /dev/null # Pin the preload-list-eligible HSTS value, not just header presence: # a degraded `max-age=1` or a dropped `includeSubDomains; preload` must # fail this check rather than pass it silently. - curl -fsS $RESOLVE --max-time 10 -I "$URL/" \ + curl -fsS "$RESOLVE" --max-time 10 -I "$URL/" \ | grep -Eqi 'strict-transport-security:[[:space:]]*max-age=31536000.*includeSubDomains.*preload' # Permissions-Policy denies APIs the app does not use (camera, # microphone, geolocation). A regression that loosens or drops the # header now fails the smoke step. - curl -fsS $RESOLVE --max-time 10 -I "$URL/" \ + curl -fsS "$RESOLVE" --max-time 10 -I "$URL/" \ | grep -Eqi 'permissions-policy:[[:space:]]*camera=\(\),[[:space:]]*microphone=\(\),[[:space:]]*geolocation=\(\)' - status=$(curl -s $RESOLVE -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health") + status=$(curl -s "$RESOLVE" -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health") [ "$status" = "404" ] || { echo "expected 404 from /actuator/health, got $status"; exit 1; } echo "All smoke checks passed" diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index 714dc864..d980ca10 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -117,18 +117,18 @@ jobs: [ -n "$HOST_IP" ] || { echo "ERROR: could not detect Docker bridge gateway via 'ip route'"; exit 1; } RESOLVE="--resolve $HOST:443:$HOST_IP" echo "Smoke test: $URL (pinned to $HOST_IP via bridge gateway)" - curl -fsS $RESOLVE --max-time 10 "$URL/login" -o /dev/null + curl -fsS "$RESOLVE" --max-time 10 "$URL/login" -o /dev/null # Pin the preload-list-eligible HSTS value, not just header presence: # a degraded `max-age=1` or a dropped `includeSubDomains; preload` must # fail this check rather than pass it silently. - curl -fsS $RESOLVE --max-time 10 -I "$URL/" \ + curl -fsS "$RESOLVE" --max-time 10 -I "$URL/" \ | grep -Eqi 'strict-transport-security:[[:space:]]*max-age=31536000.*includeSubDomains.*preload' # Permissions-Policy denies APIs the app does not use (camera, # microphone, geolocation). A regression that loosens or drops the # header now fails the smoke step. - curl -fsS $RESOLVE --max-time 10 -I "$URL/" \ + curl -fsS "$RESOLVE" --max-time 10 -I "$URL/" \ | grep -Eqi 'permissions-policy:[[:space:]]*camera=\(\),[[:space:]]*microphone=\(\),[[:space:]]*geolocation=\(\)' - status=$(curl -s $RESOLVE -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health") + status=$(curl -s "$RESOLVE" -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health") [ "$status" = "404" ] || { echo "expected 404 from /actuator/health, got $status"; exit 1; } echo "All smoke checks passed"