canonical · james-garner-canonical · Mar 23, 2026 · Mar 21, 2026 · Mar 21, 2026 · Mar 21, 2026
@@ -34,22 +34,31 @@ jobs:
       - name: Calculate reference for git diff
         id: ref
         if: github.event_name == 'pull_request'
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
           set -xueo pipefail
-          echo "result=$(git merge-base origin/${{ github.event.pull_request.base.ref }} HEAD)" >> "$GITHUB_OUTPUT"
+          echo "result=$(git merge-base origin/$BASE_REF HEAD)" >> "$GITHUB_OUTPUT"
       - uses: astral-sh/setup-uv@v7
       - name: Collect changed packages
         id: packages
-        run: .github/get-changed.py packages ${{ steps.ref.outputs.result }}
+        env:
+          REF_RESULT: ${{ steps.ref.outputs.result }}
+        run: .github/get-changed.py packages $REF_RESULT
       - name: Collect changed interfaces
         id: interfaces
-        run: .github/get-changed.py interfaces ${{ steps.ref.outputs.result }} --name-only
+        env:
+          REF_RESULT: ${{ steps.ref.outputs.result }}
+        run: .github/get-changed.py interfaces $REF_RESULT --name-only
       - name: Collect packages that would be published on merge
         id: publish
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          REF_RESULT: ${{ steps.ref.outputs.result }}
         run: |
           set -xueo pipefail
-          if [ ${{ github.event_name }} = 'pull_request' ]; then
-            PACKAGES=$(.scripts/ls.py packages ${{ steps.ref.outputs.result }} --exclude-examples --exclude-placeholders --only-if-version-changed)
+          if [ "$EVENT_NAME" = 'pull_request' ]; then
+            PACKAGES=$(.scripts/ls.py packages $REF_RESULT --exclude-examples --exclude-placeholders --only-if-version-changed)
           else
             PACKAGES='[]'
           fi
@@ -74,8 +83,10 @@ jobs:
     steps:
       - name: Fail if any tests failed
         if: ${{ needs.package.result != 'success' && needs.package.result != 'skipped' }}
+        env:
+          NEEDS_JSON: ${{ toJSON(needs) }}
         run: |
-          echo '${{ toJSON(needs) }}' | jq  # logging
+          echo "$NEEDS_JSON" | jq  # logging
           exit 1
 
   interface:
@@ -96,8 +107,10 @@ jobs:
     steps:
       - name: Fail if any interface tests failed
         if: ${{ needs.interface.result != 'success' && needs.interface.result != 'skipped' }}
+        env:
+          NEEDS_JSON: ${{ toJSON(needs) }}
         run: |
-          echo '${{ toJSON(needs) }}' | jq  # logging
+          echo "$NEEDS_JSON" | jq  # logging
           exit 1
 
   interfaces-json-up-to-date:
@@ -161,9 +174,12 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
       - name: Ensure CHANGELOG.md has been updated
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          PACKAGE: ${{ matrix.package }}
         run: |
           set -xueo pipefail
-          if git diff --name-only ${{ github.event.pull_request.base.sha }} | grep -q '^${{ matrix.package }}/CHANGELOG.md$'; then
+          if git diff --name-only "$BASE_SHA" | grep -q "^${PACKAGE}/CHANGELOG.md$"; then
             : 'CHANGELOG.md updated :)'
           else
             : 'CHANGELOG.md must be updated before merging :('
@@ -177,8 +193,10 @@ jobs:
     steps:
       - name: Fail if any required changelogs are not updated
         if: ${{ needs.changelog-updated.result != 'success' && needs.changelog-updated.result != 'skipped' }}
+        env:
+          NEEDS_JSON: ${{ toJSON(needs) }}
         run: |
-          echo '${{ toJSON(needs) }}' | jq  # logging
+          echo "$NEEDS_JSON" | jq  # logging
           exit 1
 
   zizmor:

@@ -62,11 +62,16 @@ jobs:
           persist-credentials: false
       - uses: astral-sh/setup-uv@v7
       - name: Run interface tests
+        env:
+          VERSION: ${{ matrix.version }}
+          ROLE: ${{ matrix.role }}
+          CHARM_NAME: ${{ matrix.charm_name }}
+          ENDPOINT: ${{ matrix.endpoint }}
         run: |
           set -xueo pipefail
           .scripts/run-interface-tests.py \
             "$INTERFACE" \
-            ${{ matrix.version }} \
-            ${{ matrix.role }} \
-            ${{ matrix.charm_name }} \
-            ${{ matrix.endpoint }}
+            "$VERSION" \
+            "$ROLE" \
+            "$CHARM_NAME" \
+            "$ENDPOINT"
@@ -25,6 +25,9 @@ on:
 
 permissions: {}
 
+env:
+  PACKAGE: ${{ inputs.package }}
+
 jobs:
   init:
     runs-on: ubuntu-latest
@@ -54,14 +57,14 @@ jobs:
 
       - name: Check which Python versions this package supports
         id: python
-        run: uv run --no-project --script .github/get-supported-python-versions.py ${{ inputs.package }}
+        run: uv run --no-project --script .github/get-supported-python-versions.py "$PACKAGE"
 
       - name: Check which test suites this package has
         id: tests
         run: |
           tests=()
           for test in unit functional integration; do
-            if [ -d ${{ inputs.package }}/tests/$test ]; then
+            if [ -d "$PACKAGE/tests/$test" ]; then
               tests+=($test)
             fi
           done
@@ -72,7 +75,7 @@ jobs:
       - name: Check requirements for functional tests
         id: functional
         if: contains(fromJson(steps.tests.outputs.tests), 'functional')
-        run: uv run --no-project --script .github/get-functional-test-matrix.py ${{ inputs.package }}
+        run: uv run --no-project --script .github/get-functional-test-matrix.py "$PACKAGE"
 
       - name: Check substrates needed for integration tests
         id: integration-substrates
@@ -103,7 +106,7 @@ jobs:
         shell: python
         run: |
           import json, os, pathlib, tomllib
-          pyproject_toml = tomllib.loads(pathlib.Path('${{ inputs.package }}', 'pyproject.toml').read_text())
+          pyproject_toml = tomllib.loads(pathlib.Path(os.environ['PACKAGE'], 'pyproject.toml').read_text())
           tags = pyproject_toml.get('tool', {}).get('charmlibs', {}).get('integration', {}).get('tags') or ['']
           line = f'tags={json.dumps(tags)}'
           print(line)
@@ -127,7 +130,9 @@ jobs:
         uses: astral-sh/setup-uv@v7
 
       - name: Run static analysis and other checks
-        run: uvx --from rust-just just python=${{ matrix.python }} lint ${{ inputs.package }}
+        env:
+          PYTHON: ${{ matrix.python }}
+        run: uvx --from rust-just just python="$PYTHON" lint "$PACKAGE"
 
   unit:
     needs: init
@@ -146,7 +151,9 @@ jobs:
         uses: astral-sh/setup-uv@v7
 
       - name: Run unit tests
-        run: uvx --from rust-just just python=${{ matrix.python }} unit ${{ inputs.package }}
+        env:
+          PYTHON: ${{ matrix.python }}
+        run: uvx --from rust-just just python="$PYTHON" unit "$PACKAGE"
 
   functional:
     needs: init
@@ -169,18 +176,21 @@ jobs:
 
       - name: Install Pebble
         if: matrix.pebble != 'no-pebble'
-        run: go install github.com/canonical/pebble/cmd/${{ matrix.pebble }}
+        env:
+          PEBBLE: ${{ matrix.pebble }}
+          GOTOOLCHAIN: auto
+        run: go install "github.com/canonical/pebble/cmd/$PEBBLE"
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
 
       - name: Run functional tests
         if: matrix.sudo == 'no-sudo'
-        run: uvx --from rust-just just python=python3 functional ${{ inputs.package }}
+        run: uvx --from rust-just just python=python3 functional "$PACKAGE"
 
       - name: Run functional tests with sudo
         if: matrix.sudo != 'no-sudo'
-        run: sudo env "PATH=$PATH" uvx --from rust-just just python=python3 functional ${{ inputs.package }}
+        run: sudo env "PATH=$PATH" uvx --from rust-just just python=python3 functional "$PACKAGE"
 
   integration:
     needs: init
@@ -212,11 +222,13 @@ jobs:
 
       - name: Pack charms
         if: ${{ hashFiles(format('{0}/tests/integration/pack.sh', inputs.package)) != '' }}
-        run: uvx --from rust-just just tag='${{ matrix.tag }}' pack-${{ matrix.substrate }} ${{ inputs.package }}
+        env:
+          TAG: ${{ matrix.tag }}
+          SUBSTRATE: ${{ matrix.substrate }}
+        run: uvx --from rust-just just tag="$TAG" "pack-$SUBSTRATE" "$PACKAGE"
 
       - name: Run Juju integration tests
         env:
-          PACKAGE: ${{ inputs.package }}
           PYTHON: ${{ needs.init.outputs.min_python_version }}
           RECIPE: integration-${{ matrix.substrate }}
           TAG: ${{ matrix.tag }}

@@ -0,0 +1,26 @@
+name: Workflow static checks
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7.6.0
+      - run: uvx zizmor@v1.23.1 --format=sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: results.sarif
+          category: zizmor