Pre-submission checks
zizmor version
1.11.0
Expected behavior
Here's a pretty common pattern we currently flag:
run: echo ${{ env.FOO }}
env:
FOO: blah blahThis should be auto-fixed as:
run: echo ${FOO}
env:
FOO: blah blahActual behavior
Instead, we overcorrect by replacing the original FOO: value with its ${{ env.FOO }} expansion, which results in an empty expansion (unless the user has FOO set somewhere higher up):
run: echo ${FOO}
env:
FOO: ${{ env.FOO }}The trick here is probably to special-case the env. context namespace and not perform an env: block insertion in that case.
Reproduction steps
See above.
Logs
Additional context
No response
Pre-submission checks
zizmor version
1.11.0
Expected behavior
Here's a pretty common pattern we currently flag:
This should be auto-fixed as:
Actual behavior
Instead, we overcorrect by replacing the original
FOO:value with its${{ env.FOO }}expansion, which results in an empty expansion (unless the user hasFOOset somewhere higher up):The trick here is probably to special-case the
env.context namespace and not perform anenv:block insertion in that case.Reproduction steps
See above.
Logs
Additional context
No response