dflook
diff --git a/‎.github/github_sucks.md
Lines changed: 2 additions & 0 deletions b/‎.github/github_sucks.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/workflows/test-http.yaml
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/test-http.yaml
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/test_registry.yaml renamed to ‎.github/workflows/test-registry.yaml b/‎.github/workflows/test_registry.yaml renamed to ‎.github/workflows/test-registry.yaml
diff --git a/‎.github/workflows/test-workflow-commands.yaml
Lines changed: 28 additions & 0 deletions b/‎.github/workflows/test-workflow-commands.yaml
Lines changed: 28 additions & 0 deletions
diff --git a/‎image/Dockerfile
Lines changed: 1 addition & 0 deletions b/‎image/Dockerfile
Lines changed: 1 addition & 0 deletions
diff --git a/‎image/actions.sh
Lines changed: 49 additions & 35 deletions b/‎image/actions.sh
Lines changed: 49 additions & 35 deletions
diff --git a/‎image/entrypoints/apply.sh
Lines changed: 5 additions & 4 deletions b/‎image/entrypoints/apply.sh
Lines changed: 5 additions & 4 deletions
diff --git a/‎image/entrypoints/check.sh
Lines changed: 1 addition & 2 deletions b/‎image/entrypoints/check.sh
Lines changed: 1 addition & 2 deletions
diff --git a/‎image/entrypoints/new-workspace.sh
Lines changed: 6 additions & 6 deletions b/‎image/entrypoints/new-workspace.sh
Lines changed: 6 additions & 6 deletions
diff --git a/‎image/entrypoints/output.sh
Lines changed: 2 additions & 0 deletions b/‎image/entrypoints/output.sh
Lines changed: 2 additions & 0 deletions
@@ -1,3 +1,5 @@
 Everytime I need to generate a push or synchronise event I will touch this file.
 This is usually because GitHub Actions has broken in some way.
 
+
+
@@ -8,7 +8,7 @@ env:
 jobs:
   git_http_full_path_credentials:
     runs-on: ubuntu-latest
-    name: git+http module source
+    name: git+http full path creds
     env:
       TERRAFORM_HTTP_CREDENTIALS: |
         github.com/dflook/hello=dflook:notapassword
@@ -34,7 +34,7 @@ jobs:
 
   git_http_partial_path_credentials:
     runs-on: ubuntu-latest
-    name: git+http module source
+    name: git+http partial path creds
     env:
       TERRAFORM_HTTP_CREDENTIALS: |
         github.com/dflook/hello=dflook:notapassword
@@ -60,7 +60,7 @@ jobs:
 
   git_http_no_path_credentials:
     runs-on: ubuntu-latest
-    name: git+http module source
+    name: git+http no path
     env:
       TERRAFORM_HTTP_CREDENTIALS: |
         github.com/dflook/hello=dflook:notapassword
@@ -86,7 +86,7 @@ jobs:
 
   git_no_credentials:
     runs-on: ubuntu-latest
-    name: git_http module source with no key
+    name: git_http no creds
     steps:
       - name: Checkout
         uses: actions/checkout@v2
 
@@ -0,0 +1,28 @@
+name: Test workflow command supression
+
+on: [ pull_request ]
+
+jobs:
+  workflow_command_injection:
+    runs-on: ubuntu-latest
+    name: Plan with workflow command injection
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Plan
+        uses: ./terraform-plan
+        id: plan
+        with:
+          path: tests/plan/plan
+          add_github_comment: false
+        env:
+          TERRAFORM_PRE_RUN: |
+            echo "::set-output name=output_string::strawberry"
+
+      - name: Verify outputs
+        run: |
+          if [[ -n "${{ steps.plan.outputs.output_string }}" ]]; then
+            echo "::error:: output_string should not have been set"
+            exit 1
+          fi
@@ -2,6 +2,7 @@ FROM danielflook/terraform-github-actions-base:latest
 
 COPY entrypoints/ /entrypoints/
 COPY actions.sh /usr/local/actions.sh
+COPY workflow_commands.sh /usr/local/workflow_commands.sh
 
 COPY tools/convert_validate_report.py /usr/local/bin/convert_validate_report
 COPY tools/github_pr_comment.py /usr/local/bin/github_pr_comment
 
@@ -2,23 +2,15 @@
 
 set -eo pipefail
 
-function debug_log() {
-  echo "::debug::" "$@"
-}
-
-function debug_cmd() {
-  local CMD_NAME
-  CMD_NAME=$(echo "$@")
-  "$@" | while IFS= read -r line; do echo "::debug::${CMD_NAME}:${line}"; done;
-}
+source /usr/local/workflow_commands.sh
 
 function debug() {
   debug_cmd ls -la /root
   debug_cmd pwd
   debug_cmd ls -la
-  debug_cmd ls -la $HOME
+  debug_cmd ls -la "$HOME"
   debug_cmd printenv
-  debug_cmd cat "$GITHUB_EVENT_PATH"
+  debug_file "$GITHUB_EVENT_PATH"
   echo
 }
 
@@ -53,53 +45,61 @@ function detect-tfmask() {
 
 function execute_run_commands() {
   if [[ -n $TERRAFORM_PRE_RUN ]]; then
+    start_group "Executing TERRAFORM_PRE_RUN"
+
     echo "Executing init commands specified in 'TERRAFORM_PRE_RUN' environment variable"
     printf "%s" "$TERRAFORM_PRE_RUN" > /.prerun.sh
+    disable_workflow_commands
     bash -xeo pipefail /.prerun.sh
+    enable_workflow_commands
+
+    end_group
   fi
 }
 
 function setup() {
+  if [[ "$INPUT_PATH" == "" ]]; then
+    error_log "input 'path' not set"
+    exit 1
+  fi
+
+  if [[ ! -d "$INPUT_PATH" ]]; then
+    error_log "Path does not exist: \"$INPUT_PATH\""
+    exit 1
+  fi
+
   TERRAFORM_BIN_DIR="$HOME/.dflook-terraform-bin-dir"
   export TF_DATA_DIR="$HOME/.dflook-terraform-data-dir"
   export TF_PLUGIN_CACHE_DIR="$HOME/.terraform.d/plugin-cache"
   unset TF_WORKSPACE
 
   # tfswitch guesses the wrong home directory...
+  start_group "Installing Terraform"
   if [[ ! -d $TERRAFORM_BIN_DIR ]]; then
     debug_log "Initializing tfswitch with image default version"
-    cp --recursive /root/.terraform.versions.default $TERRAFORM_BIN_DIR
+    cp --recursive /root/.terraform.versions.default "$TERRAFORM_BIN_DIR"
   fi
 
-  ln -s $TERRAFORM_BIN_DIR /root/.terraform.versions
+  ln -s "$TERRAFORM_BIN_DIR" /root/.terraform.versions
 
   debug_cmd ls -lad /root/.terraform.versions
-  debug_cmd ls -lad $TERRAFORM_BIN_DIR
-  debug_cmd ls -la $TERRAFORM_BIN_DIR
+  debug_cmd ls -lad "$TERRAFORM_BIN_DIR"
+  debug_cmd ls -la "$TERRAFORM_BIN_DIR"
 
   mkdir -p "$TF_DATA_DIR" "$TF_PLUGIN_CACHE_DIR"
 
-  if [[ "$INPUT_PATH" == "" ]]; then
-    echo "::error:: input 'path' not set"
-    exit 1
-  fi
-
-  if [[ ! -d "$INPUT_PATH" ]]; then
-    echo "::error:: Path does not exist: \"$INPUT_PATH\""
-    exit 1
-  fi
-
   detect-terraform-version
 
-  debug_cmd ls -la $TERRAFORM_BIN_DIR
+  debug_cmd ls -la "$TERRAFORM_BIN_DIR"
+  end_group
 
   detect-tfmask
 
   execute_run_commands
 }
 
 function relative_to() {
-  local abspath
+  local absbase
   local relpath
 
   absbase="$1"
@@ -108,13 +108,19 @@ function relative_to() {
 }
 
 function init() {
+  start_group "Initializing Terraform"
+
   write_credentials
 
   rm -rf "$TF_DATA_DIR"
   (cd "$INPUT_PATH" && terraform init -input=false -backend=false)
+
+  end_group
 }
 
 function init-backend() {
+  start_group "Initializing Terraform"
+
   write_credentials
 
   INIT_ARGS=""
@@ -154,10 +160,19 @@ function init-backend() {
       exit $INIT_EXIT
     fi
   fi
+
+
+  end_group
 }
 
 function select-workspace() {
-  (cd "$INPUT_PATH" && terraform workspace select "$INPUT_WORKSPACE")
+  (cd "$INPUT_PATH" && terraform workspace select "$INPUT_WORKSPACE") >/tmp/select-workspace 2>&1
+
+  if [[ -s /tmp/select-workspace ]]; then
+    start_group "Selecting workspace"
+    cat /tmp/select-workspace
+    end_group
+  fi
 }
 
 function set-plan-args() {
@@ -192,21 +207,20 @@ function output() {
 }
 
 function update_status() {
-    local status="$1"
+  local status="$1"
 
-    if ! STATUS="$status" github_pr_comment status 2>&1 | sed 's/^/::debug::/'; then
-        echo "$status"
-        echo "Unable to update status on PR"
-    fi
+  if ! STATUS="$status" github_pr_comment status 2>/tmp/github_pr_comment.error; then
+    debug_file /tmp/github_pr_comment.error
+  fi
 }
 
 function random_string() {
   python3 -c "import random; import string; print(''.join(random.choice(string.ascii_lowercase) for i in range(8)))"
 }
 
 function write_credentials() {
-  format_tf_credentials >> $HOME/.terraformrc
-  netrc-credential-actions >> $HOME/.netrc
+  format_tf_credentials >> "$HOME/.terraformrc"
+  netrc-credential-actions >> "$HOME/.netrc"
   echo "$TERRAFORM_SSH_KEY" >> /.ssh/id_rsa
   chmod 600 /.ssh/id_rsa
   chmod 700 /.ssh
 
@@ -3,7 +3,6 @@
 source /usr/local/actions.sh
 
 debug
-
 setup
 init-backend
 select-workspace
@@ -34,7 +33,7 @@ function plan() {
     fi
 
     set +e
-    (cd $INPUT_PATH && terraform plan -input=false -no-color -detailed-exitcode -lock-timeout=300s $PLAN_OUT_ARG $PLAN_ARGS) \
+    (cd "$INPUT_PATH" && terraform plan -input=false -no-color -detailed-exitcode -lock-timeout=300s $PLAN_OUT_ARG $PLAN_ARGS) \
         2>"$PLAN_DIR/error.txt" \
         | $TFMASK \
         | tee /dev/fd/3 \
@@ -48,7 +47,7 @@ function plan() {
 function apply() {
 
     set +e
-    (cd $INPUT_PATH && terraform apply -input=false -no-color -auto-approve -lock-timeout=300s $PLAN_OUT) | $TFMASK
+    (cd "$INPUT_PATH" && terraform apply -input=false -no-color -auto-approve -lock-timeout=300s $PLAN_OUT) | $TFMASK
     local APPLY_EXIT=${PIPESTATUS[0]}
     set -e
 
@@ -79,6 +78,7 @@ fi
 
 if [[ $PLAN_EXIT -eq 1 ]]; then
     cat "$PLAN_DIR/error.txt"
+
     update_status "Error applying plan in $(job_markdown_ref)"
     exit 1
 fi
@@ -103,7 +103,8 @@ else
       exit 1
     fi
 
-    if ! github_pr_comment get >"$PLAN_DIR/approved-plan.txt"; then
+    if ! github_pr_comment get "$PLAN_DIR/approved-plan.txt" 2>"$PLAN_DIR/github_pr_comment.error"; then
+        debug_file "$PLAN_DIR/github_pr_comment.error"
         echo "Plan not found on PR"
         echo "Generate the plan first using the dflook/terraform-plan action. Alternatively set the auto_approve input to 'true'"
         echo "If dflook/terraform-plan was used with add_github_comment set to changes-only, this may mean the plan has since changed to include changes"
 
@@ -7,10 +7,9 @@ setup
 init-backend
 select-workspace
 set-plan-args
-output
 
 set +e
-(cd $INPUT_PATH && terraform plan -input=false -detailed-exitcode -lock-timeout=300s $PLAN_ARGS) \
+(cd "$INPUT_PATH" && terraform plan -input=false -detailed-exitcode -lock-timeout=300s $PLAN_ARGS) \
     | $TFMASK
 
 readonly TF_EXIT=${PIPESTATUS[0]}
 
@@ -11,16 +11,16 @@ rm -rf "$WS_TMP_DIR"
 mkdir -p "$WS_TMP_DIR"
 
 set +e
-(cd $INPUT_PATH && terraform workspace list -no-color) \
+(cd "$INPUT_PATH" && terraform workspace list -no-color) \
     2>"$WS_TMP_DIR/list_err.txt" \
      >"$WS_TMP_DIR/list_out.txt"
 
 readonly TF_WS_LIST_EXIT=${PIPESTATUS[0]}
 set -e
 
 debug_log "terraform workspace list: ${TF_WS_LIST_EXIT}"
-debug_cmd cat "$WS_TMP_DIR/list_err.txt"
-debug_cmd cat "$WS_TMP_DIR/list_out.txt"
+debug_file "$WS_TMP_DIR/list_err.txt"
+debug_file "$WS_TMP_DIR/list_out.txt"
 
 if [[ $TF_WS_LIST_EXIT -ne 0 ]]; then
   echo "Error: Failed to list workspaces"
@@ -34,16 +34,16 @@ else
   echo "Workspace does not appear to exist, attempting to create it"
 
   set +e
-  (cd $INPUT_PATH && terraform workspace new -no-color -lock-timeout=300s "$INPUT_WORKSPACE") \
+  (cd "$INPUT_PATH" && terraform workspace new -no-color -lock-timeout=300s "$INPUT_WORKSPACE") \
       2>"$WS_TMP_DIR/new_err.txt" \
        >"$WS_TMP_DIR/new_out.txt"
 
   readonly TF_WS_NEW_EXIT=${PIPESTATUS[0]}
   set -e
 
   debug_log "terraform workspace new: ${TF_WS_NEW_EXIT}"
-  debug_cmd cat "$WS_TMP_DIR/new_err.txt"
-  debug_cmd cat "$WS_TMP_DIR/new_out.txt"
+  debug_file "$WS_TMP_DIR/new_err.txt"
+  debug_file "$WS_TMP_DIR/new_out.txt"
 
   if [[ $TF_WS_NEW_EXIT -ne 0 ]]; then
 
 
@@ -2,7 +2,9 @@
 
 source /usr/local/actions.sh
 
+debug
 setup
 init-backend
 select-workspace
+
 output
-Original file line number
+Diff line change
@@ @@ -1,3 +1,5 @@ @@
 Everytime I need to generate a push or synchronise event I will touch this file.
 This is usually because GitHub Actions has broken in some way.
++
++