Open rsenden opened 7 months ago
Some testing on this seems to indicate that something like user-specified EXTRA_PACKAGE_OPTS: -opt "arg with space" --other-opt
actually works just fine with the internal/run
action, but further testing would be useful.
We now also have the internal/run-script
action; we need to test whether user-specified EXTRA_*_OPTS
referenced in scripts executed through this action also properly handle quoted options containing spaces. An example is EXTRA_SC_SAST_SCAN_OPTS
as used in sc-sast-and-debricked-scan.sh
.
As described in #15,
@actions/exec
seems to eat/ignore double quotes around command arguments, causing issues if arguments contain spaces. This has been fixed for app/version/release names containing spaces when invoking FortifyVulnerabilityExporter by using triple single quotes, however there are many other places where we use double quotes to handle potential spaces. In most places, it's unlikely but not impossible that arguments containing spaces are being passed.Ideally, the
internal/run
action should properly handle arguments surrounded by double quotes, to fix handling of spaces in all actions, including for multi-argument environment variables passed by the calling workflow likeEXTRA_PACKAGE_OPTS
, i.e. users should be able to pass something likeEXTRA_PACKAGE_OPTS: -opt "arg with space" --other-opt
, which theinternal/run
action should pass as 3 (and not 5) separate command-line arguments.Alternatively but less preferable, we could update all actions to use triple single quotes instead of double quotes to properly handle arguments containing spaces internally, but we'd then also need to document this approach for user-provided environment variables. In the example above, users would need to pass
EXTRA_PACKAGE_OPTS: -opt '''arg with space''' --other-opt
instead. Users are not accustomed to such notation, so this can easily lead to unexpected results and errors.