Problem
Several `run:` steps interpolate `${{ inputs.X }}` directly into shell, e.g.:
- `_ci.yml:111` — `forge test -${{ inputs.test-verbosity }}`
- `_ci.yml:197` — `forge coverage --no-match-path "${{ inputs.coverage-exclude-paths }}"`
- `_deploy-testnet.yml:96-97` — jq with `${{ inputs.network-index }}` interpolated into the filter
- `_deploy-testnet.yml:108` — `forge script ${{ inputs.deploy-script }}` (unquoted)
- `_foundry-cicd.yml:151` — `echo "${{ inputs.contract-paths }}"` for a multi-line input
GitHub templates these substitutions before the shell parses, so quoting in the script does not protect against a value containing `"`, `$`, backticks, or newlines. The recommended pattern is to pass values via `env:` and reference `"$VAR"` in the script.
Proposal
Sweep every workflow and convert input substitutions in `run:` blocks to the `env:` + quoted-var pattern. Already done correctly in a couple of places (`_foundry-cicd.yml` quotes `deploy-script` at line 498); make it uniform.
Problem
Several `run:` steps interpolate `${{ inputs.X }}` directly into shell, e.g.:
GitHub templates these substitutions before the shell parses, so quoting in the script does not protect against a value containing `"`, `$`, backticks, or newlines. The recommended pattern is to pass values via `env:` and reference `"$VAR"` in the script.
Proposal
Sweep every workflow and convert input substitutions in `run:` blocks to the `env:` + quoted-var pattern. Already done correctly in a couple of places (`_foundry-cicd.yml` quotes `deploy-script` at line 498); make it uniform.