Be strict about quoting environment variables.

.github/setup-node/action.yml

@@ -20,7 +20,7 @@ runs:
         - name: Get Node.js and npm version
           id: node-version
           run: |
-              echo "NODE_VERSION=$(node -v)" >> $GITHUB_OUTPUT
+              echo "NODE_VERSION=$(node -v)" >> "$GITHUB_OUTPUT"
           shell: bash
 
         - name: Cache node_modules

.github/workflows/build-plugin-zip.yml

@@ -39,11 +39,11 @@ jobs:
                     "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest"
                   LATEST_STABLE_TAG="$(jq --raw-output '.tag_name' latest.json)"
                   IFS='.' read LATEST_STABLE_MAJOR LATEST_STABLE_MINOR LATEST_STABLE_PATCH <<< "${LATEST_STABLE_TAG#v}"
-                  echo "current_stable_branch=release/${LATEST_STABLE_MAJOR}.${LATEST_STABLE_MINOR}" >> $GITHUB_OUTPUT
+                  echo "current_stable_branch=release/${LATEST_STABLE_MAJOR}.${LATEST_STABLE_MINOR}" >> "$GITHUB_OUTPUT"
                   if [[ ${LATEST_STABLE_MINOR} == "9" ]]; then
-                    echo "next_stable_branch=release/$((LATEST_STABLE_MAJOR + 1)).0" >> $GITHUB_OUTPUT
+                    echo "next_stable_branch=release/$((LATEST_STABLE_MAJOR + 1)).0" >> "$GITHUB_OUTPUT"
                   else
-                    echo "next_stable_branch=release/${LATEST_STABLE_MAJOR}.$((LATEST_STABLE_MINOR + 1))" >> $GITHUB_OUTPUT
+                    echo "next_stable_branch=release/${LATEST_STABLE_MAJOR}.$((LATEST_STABLE_MINOR + 1))" >> "$GITHUB_OUTPUT"
                   fi
 
     bump-version:
@@ -100,10 +100,10 @@ jobs:
                       fi
                     fi
                   fi
-                  echo "new_version=${NEW_VERSION}" >> $GITHUB_OUTPUT
+                  echo "new_version=${NEW_VERSION}" >> "$GITHUB_OUTPUT"
                   IFS='.' read -r -a NEW_VERSION_ARRAY <<< "$NEW_VERSION"
                   RELEASE_BRANCH="release/${NEW_VERSION_ARRAY[0]}.${NEW_VERSION_ARRAY[1]}"
-                  echo "release_branch=${RELEASE_BRANCH}" >> $GITHUB_OUTPUT
+                  echo "release_branch=${RELEASE_BRANCH}" >> "$GITHUB_OUTPUT"
 
             - name: Configure git user name and email
               run: |
@@ -164,7 +164,7 @@ jobs:
                   if [[ "$OLD_VERSION" == "$TRUNK_VERSION" ]]; then
                     git cherry-pick "$TARGET_BRANCH"
                     git push
-                    echo "version_bump_commit=$(git rev-parse --verify --short HEAD)" >> $GITHUB_OUTPUT
+                    echo "version_bump_commit=$(git rev-parse --verify --short HEAD)" >> "$GITHUB_OUTPUT"
                   fi
 
     build:
@@ -293,7 +293,7 @@ jobs:
               id: get_release_version
               env:
                   VERSION: ${{ needs.bump-version.outputs.new_version }}
-              run: echo "version=$(echo $VERSION | cut -d / -f 3 | sed 's/-rc./ RC/' )" >> $GITHUB_OUTPUT
+              run: echo "version=$(echo $VERSION | cut -d / -f 3 | sed 's/-rc./ RC/' )" >> "$GITHUB_OUTPUT"
 
             - name: Download Plugin Zip Artifact
               uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8

.github/workflows/unit-test.yml

@@ -120,7 +120,7 @@ jobs:
                     PREVIOUS_WP_SERIES="${LATEST_WP_MAJOR}.$((LATEST_WP_MINOR - 1))"
                   fi
                   PREVIOUS_WP_VERSION=$(jq --raw-output --arg series "${PREVIOUS_WP_SERIES}" 'with_entries(select(.key|startswith($series)))|keys[-1]' versions.json)
-                  echo "previous-wordpress-version=${PREVIOUS_WP_VERSION}" >> $GITHUB_OUTPUT
+                  echo "previous-wordpress-version=${PREVIOUS_WP_VERSION}" >> "$GITHUB_OUTPUT"
                   rm versions.json
 
     build-assets:
@@ -302,7 +302,7 @@ jobs:
             # http://man7.org/linux/man-pages/man1/date.1.html
             - name: "Get last Monday's date"
               id: get-date
-              run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> $GITHUB_OUTPUT
+              run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT"
 
             - name: Cache PHPCS scan cache
               uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
@@ -318,7 +318,7 @@ jobs:
                   custom-cache-suffix: ${{ steps.get-date.outputs.date }}
 
             - name: Make Composer packages available globally
-              run: echo "${PWD}/vendor/bin" >> $GITHUB_PATH
+              run: echo "${PWD}/vendor/bin" >> "$GITHUB_PATH"
 
             - name: Run PHPCS on all Gutenberg files
               id: phpcs-gutenberg

.github/workflows/upload-release-to-plugin-repo.yml

@@ -25,7 +25,7 @@ jobs:
               run: |
                   latest_version_in_core_repo=$(curl -s 'https://api.wordpress.org/plugins/info/1.2/?action=plugin_information&request\[slug\]=gutenberg' | jq -r '.version')
                   echo "Latest Core Repo version: $latest_version_in_core_repo"
-                  echo "version=$latest_version_in_core_repo" >> $GITHUB_OUTPUT
+                  echo "version=$latest_version_in_core_repo" >> "$GITHUB_OUTPUT"
 
             - name: Decide if it is a trunk or tag update
               id: compute_should_update_trunk
@@ -60,7 +60,7 @@ jobs:
                   fi
 
                   echo "Should update trunk: $shouldUpdateTrunk"
-                  echo "should_update_trunk=$shouldUpdateTrunk" >> $GITHUB_OUTPUT
+                  echo "should_update_trunk=$shouldUpdateTrunk" >> "$GITHUB_OUTPUT"
 
     get-release-branch:
         name: Get release branch name
@@ -76,7 +76,7 @@ jobs:
               run: |
                   IFS='.' read -r -a VERSION_ARRAY <<< "${TAG#v}"
                   RELEASE_BRANCH="release/${VERSION_ARRAY[0]}.${VERSION_ARRAY[1]}"
-                  echo "release_branch=${RELEASE_BRANCH}" >> $GITHUB_OUTPUT
+                  echo "release_branch=${RELEASE_BRANCH}" >> "$GITHUB_OUTPUT"
 
     update-changelog:
         name: Update Changelog on ${{ matrix.branch }} branch