ci(security): harden workflow steps against template-injection

[visionik]

Summary

Harden three CI workflow files against template-injection findings reported by zizmor (v1.24.1), using the canonical fix pattern: hoist every dynamic ${{ … }} expression out of the run: block into a step-level env: dictionary, then reference it as "${VAR}" from the script.

Covers the 8 template-injection sites that are not addressed by #66884 (which handles the remaining 12 sites in openclaw-cross-os-release-checks-reusable.yml).

Files and sites fixed

.github/workflows/control-ui-locale-refresh.yml (1 site)

• Line 143 — matrix.locale lifted into env as LOCALE.

.github/workflows/docker-release.yml (6 sites)

Both Create and push default manifest and Create and push slim manifest steps in the create-manifest job:

• steps.tags.outputs.value → TAGS
• steps.tags.outputs.slim → SLIM_TAGS
• needs.build-amd64.outputs.digest → AMD64_DIGEST
• needs.build-arm64.outputs.digest → ARM64_DIGEST
• needs.build-amd64.outputs.slim-digest → AMD64_SLIM_DIGEST
• needs.build-arm64.outputs.slim-digest → ARM64_SLIM_DIGEST

.github/workflows/openclaw-npm-release.yml (1 site)

• Line 402 — steps.publish_tarball.outputs.path lifted into env as PUBLISH_TARBALL_PATH in the Publish step.

Verification

$ zizmor --persona regular \
    .github/workflows/control-ui-locale-refresh.yml \
    .github/workflows/docker-release.yml \
    .github/workflows/openclaw-npm-release.yml

No findings to report. Good job! (20 suppressed)

• pnpm format:check — clean across 12,852 files.
• pnpm lint — 0 warnings, 0 errors.
• YAML parses cleanly for all three files via the project's own yaml package.

Behavioural impact

None. The substitution is mechanical — GitHub Actions expands the expressions into environment variables at the same evaluation point as before, and the shell reads them via ${VAR} instead of having them baked into the script at render time.

Relationship to other PRs / issues

• Refs [Security] zizmor template-injection findings across CI workflows #68428 — tracking issue enumerating all 22 template-injection findings.
• Complements fix(ci): harden release checks workflow inputs #66884 — covers the remaining 12 sites in openclaw-cross-os-release-checks-reusable.yml. Together, fix(ci): harden release checks workflow inputs #66884 + this PR resolve all 22 findings in the tracking issue.
• CI: harden release-check script execution paths #67920 has overlapping env-var changes for openclaw-cross-os-release-checks-reusable.yml plus an unrelated script refactor; recommended to rebase on main once fix(ci): harden release checks workflow inputs #66884 lands and keep only the script refactor.

[greptile-apps]

Greptile Summary

Mechanical template-injection hardening across three CI workflow files: hoists all dynamic ${{ … }} expressions out of run: blocks into step-level env: dictionaries and replaces them with ${VAR} shell references, following the canonical pattern for eliminating GitHub Actions expression injection. All 8 sites addressed are correct and functionally equivalent to the originals.

Confidence Score: 5/5

Safe to merge — changes are purely mechanical, no behavioral impact.

All 8 template-injection sites are correctly hoisted into env: blocks with proper shell variable references. The substitutions preserve exact semantics, and the docker digest quoting is a minor improvement over the prior unquoted inline interpolation. No logic, data, or security regressions introduced.

No files require special attention.

_{Reviews (1): Last reviewed commit: "ci(security): harden workflow steps agai..." | Re-trigger Greptile}

[visionik]

Self-review note: GitHub blocks self-approve. Verified locally that zizmor on the three modified files now reports no findings, and pnpm format:check + pnpm lint are both clean. Mechanical env-var substitution per the canonical pattern — no runtime behaviour change. Ready for a second maintainer approval or admin merge.