fix(security): harden run-steps against script injection; fix release gating#44
Draft
peschee wants to merge 2 commits into
Draft
fix(security): harden run-steps against script injection; fix release gating#44peschee wants to merge 2 commits into
peschee wants to merge 2 commits into
Conversation
… gating Move every github.*, inputs.*, secrets.* and vars.* value that was interpolated directly into a `run:` shell body into a step-level `env:` block, referenced as a quoted shell variable. This closes script-injection holes across all reusable workflows and composite actions and keeps secrets (Nexus, macOS keychain, skopeo, Jira) off command lines. Also: - add-helm-repositories: drop `eval`, build a bash argument array instead - setup-npm-nexus-access: stop printing the generated .npmrc auth token - release announce job: add always() so it is not skipped when optional upstream jobs are skipped; suppress only on failure/cancellation - release run summary: reference the correct lowercase parse outputs - CHANGELOG: document the above under [Unreleased] Verified with actionlint (clean) and an injection scan over all run: bodies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens every reusable workflow and composite action against shell script injection, and fixes two release-workflow correctness bugs found during the review.
The core change is mechanical and repo-wide: every
github.*,inputs.*,secrets.*, andvars.*value that was interpolated directly into arun:shell body is now passed via a step-levelenv:block and referenced as a quoted shell variable. This is the standard mitigation for GitHub Actions expression injection.Security
${{ … }}moved out ofrun:bodies intoenv:(quoted refs) across every workflow + composite action.curl --user), macOS keychain password, skopeo--src/--dest-creds, and the Jira auth token are no longer interpolated into command strings.add-helm-repositories: removedevalof a built-up command string; now uses a bash argument array.setup-npm-nexus-access: removed the step that printed the generated.npmrc(auth token) to the build log.Fixed
announcejob was effectively never running: its condition was justinputs.send_announcementwhile itneeds:several jobs that are skipped on a normal release, so it got skipped too. Now gated withalways() && … && !contains(needs.*.result, 'failure'/'cancelled').parseoutputs (rendered blank); now uses the correct lowercase outputs.Verification
actionlintclean across the tree (only the pre-existingmacduffself-hosted-runner label warning).inputs.*/secrets.*/github.event.*remains in anyrun:body. Remaining${{ }}occurrences are safe (with:/env:values, the announcemessage:hardened inside its action, and a fixed-literal ternary inshared-maven-build.yml).Notes / not in this PR
@main, andpackage.json's1.0.0maps to no tag. The CHANGELOG entry is under[Unreleased]. Cutting an actualv1.0.0(so this lands in a real release) is a separate decision.permissions:blocks,concurrencygroups, unpinned third-party actions, the orphanedshared-*vs legacy duplication, the dead non-dotgithub/dir, README link errors) are not addressed here.