Skip to content
Latchkey

What Is Environment Variable Interpolation? Explained

Environment variable interpolation is the substitution of a variables value into a string, so a placeholder like a dollar-sign name is replaced by its actual value.

Interpolation is how configuration becomes dynamic. Instead of hardcoding a value, you write a placeholder referencing an environment variable, and a tool replaces it with the real value at runtime. CI lives on this: pipelines inject secrets, build numbers, and branch names through interpolation. But who does the substituting - the shell, the CI engine, or a config tool - changes the rules.

What interpolation is

Interpolation replaces a reference to a variable, written as a placeholder, with the variables current value when the text is processed. The classic form is a dollar sign followed by a name. Interpolation turns a static template into one that adapts to the environment it runs in.

Who does the substituting

In CI there are usually several layers that can interpolate: the CI engine substitutes its own expression syntax before the job runs, and then the shell interpolates its variables when the command executes. Knowing which layer handles a given placeholder is essential, because they have different syntax and timing.

Quoting and missing-value pitfalls

Two classic bugs: forgetting to quote an interpolated value that contains spaces, which splits it into multiple arguments; and a missing variable expanding to an empty string, which can turn a command into something dangerous. Strict shells can be told to error on undefined variables to catch the latter.

Interpolation in CI

GitHub Actions interpolates its own expression syntax (the double-brace form) at the engine level, and the shell interpolates dollar-sign variables at run time. A frequent mistake is mixing them up or letting the engine interpolate untrusted input directly into a shell command, which is an injection risk.

Two layers of interpolation
# Engine vs shell interpolation in a CI step
steps:
  - env:
      NAME: ${{ github.actor }}   # engine interpolates
    run: echo "Hello, $NAME"        # shell interpolates safely

Latchkey note

Expression and shell interpolation behave the same on Latchkey runners, and passing untrusted context through an env var (rather than inlining it into the command) is the standard safe pattern there too.

Key takeaways

  • Interpolation substitutes a variables value into text wherever a placeholder appears.
  • In CI multiple layers interpolate - the engine before the run, the shell during it - with different syntax.
  • Unquoted or missing values cause bugs, and interpolating untrusted input into a command is an injection risk.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →