From 4c0210f2d56ec4a42577d3bd9a7d6f2c4ac02cfa Mon Sep 17 00:00:00 2001
From: Lucas TESSON <lucastesson@protonmail.com>
Date: Mon, 28 Oct 2024 15:41:07 +0100
Subject: [PATCH] fix: shellcheck issues from octoscan

No possible injections, data is the result of sha256sum
---
 .github/workflows/goreleaser.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
index 94f20a4..441c093 100644
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@@ -47,7 +47,7 @@ jobs:
         run: |
           set -euo pipefail
 
-          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+          checksum_file="$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')"
           echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
 
   provenance:
@@ -83,9 +83,9 @@ jobs:
           PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
         run: |
           set -euo pipefail
-          checksums=$(echo "$CHECKSUMS" | base64 -d)
+          checksums="$(echo "$CHECKSUMS" | base64 -d)"
           while read -r line; do
-              fn=$(echo $line | cut -d ' ' -f2)
+              fn="$(echo $line | cut -d ' ' -f2)"
               echo "Verifying $fn"
               slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
                                             --source-uri "github.com/$GITHUB_REPOSITORY" \