better security

mydea · mydea · commit db738561f6c5 · 2026-04-28T14:03:31.000+02:00
diff --git a/.github/actions/nx-affected-list/action.yml b/.github/actions/nx-affected-list/action.yml
@@ -20,14 +20,17 @@ runs:
     - name: Get affected Nx projects
       id: affected
       shell: bash
+      env:
+        INPUT_BASE: ${{ inputs.base }}
+        INPUT_HEAD: ${{ inputs.head }}
       run: |
         set -euo pipefail
-        ARGS=""
-        if [ -n "${{ inputs.base }}" ]; then ARGS="$ARGS --base=${{ inputs.base }}"; fi
-        if [ -n "${{ inputs.head }}" ]; then ARGS="$ARGS --head=${{ inputs.head }}"; fi
+        extra_args=()
+        if [ -n "${INPUT_BASE:-}" ]; then extra_args+=(--base="$INPUT_BASE"); fi
+        if [ -n "${INPUT_HEAD:-}" ]; then extra_args+=(--head="$INPUT_HEAD"); fi
 
         # Fail the step on nx/git errors so empty output cannot skip integration jobs silently.
-        AFFECTED=$(./node_modules/.bin/nx show projects --affected $ARGS | tr '\n' ' ' | xargs)
+        AFFECTED=$(./node_modules/.bin/nx show projects --affected "${extra_args[@]}" | tr '\n' ' ' | xargs)
         echo "affected=$AFFECTED" >> "$GITHUB_OUTPUT"
 
         if [ -n "$AFFECTED" ]; then
