From 2f5a3a28695f3f60925ba311f52cfd533b76e552 Mon Sep 17 00:00:00 2001
From: Chris Banks <chris.banks@digital.cabinet-office.gov.uk>
Date: Thu, 16 May 2024 15:47:54 +0100
Subject: [PATCH] Fix issues with deploy.yml workflow.

- Don't substitute values from GitHub Actions directly into shell
  commands.
- Fix shellcheck issues (mostly with quoting).
---
 .github/workflows/build-and-push-image.yml | 2 +-
 .github/workflows/deploy.yml               | 9 +++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build-and-push-image.yml b/.github/workflows/build-and-push-image.yml
index 92cd1a853..53184145e 100644
--- a/.github/workflows/build-and-push-image.yml
+++ b/.github/workflows/build-and-push-image.yml
@@ -54,7 +54,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - run: echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+      - run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
         id: local-head
 
       - name: Determine image tags
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 492de4e25..8788a9ba5 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -16,7 +16,7 @@ on:
       environment:
         description: 'Environment to deploy to'
         required: false
-        default: 'integration'
+        default: integration
         type: string
     secrets:
       WEBHOOK_TOKEN:
@@ -39,11 +39,12 @@ jobs:
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
           GITHUB_TEAM: gov-uk-production-deploy
           GITHUB_USER: ${{ github.triggering_actor }}
+          TRIGGERING_ACTOR: ${{ github.triggering_actor }}
         run: |
-          TEAM_MEMBERSHIP=$(gh api orgs/alphagov/teams/${GITHUB_TEAM}/memberships/${GITHUB_USER} -q .state || echo "false")
+          TEAM_MEMBERSHIP=$(gh api "orgs/alphagov/teams/$GITHUB_TEAM/memberships/$GITHUB_USER" -q .state || echo false)
 
-          if ! [[ "${TEAM_MEMBERSHIP}" = "active" || "${ENVIRONMENT}" = 'integration' ]]; then
-            echo '::error title=Insufficient permissions to deploy::User ${{ github.triggering_actor }} needs to be a member of the GOV.UK Production Deploy team'
+          if ! [[ "$TEAM_MEMBERSHIP" = active || "$ENVIRONMENT" = integration ]]; then
+            echo "::error title=Insufficient permissions to deploy::User $TRIGGERING_ACTOR needs to be a member of the GOV.UK Production Deploy team"
             exit 1
           fi