fix(ci): resolve template injection and ref-version-mismatch findings

[stevebeattie]

Ticket: PSEC-923
Date: 2026-05-03
Patches: 3

---

Summary

This patch series addresses GitHub Actions security findings in chainguard-dev/malcontent
as part of the PSEC-923 systematic hardening campaign across Chainguard public repositories.

Patch 0001 — fix(ci): resolve template injection findings

Fixes 18 template-injection findings (zizmor pedantic persona) across 6 workflow files
by moving ${{ context }} template expressions out of run: blocks and into env:
variables or using the shell variables that the workflow-level env: block already exports.

Files changed:

• .github/workflows/codeql.yaml — ${{ github.workspace }} in "Build yara-x-capi" step
  moved to env: WORKSPACE: and referenced as "${WORKSPACE}" in the run block.
• .github/workflows/fuzz.yaml — ${{ env.GO_RELEASE }} and ${{ env.YARA_X_RELEASE }}
  replaced with shell variable references "${GO_RELEASE}" and "yara-x~${YARA_X_RELEASE}";
  ${{ matrix.target.test }} and ${{ matrix.target.package }} moved to env: FUZZ_TARGET:
  and env: FUZZ_PACKAGE: in the "Run fuzzer" step.
• .github/workflows/go-tests.yaml — same env.GO_RELEASE/env.YARA_X_RELEASE fix in
  both the test and integration job "Install dependencies" steps.
• .github/workflows/style.yaml — same fix in the golangci-lint job "Install dependencies".
• .github/workflows/third-party.yaml — same fix in "Install dependencies".
• .github/workflows/update-yara-x.yaml — ${{ github.repository }} moved to
  env: REPOSITORY: in the "Check for new yara-x version" step.

Note on env.* fixes: The ${{ env.GO_RELEASE }} and ${{ env.YARA_X_RELEASE }}
expressions appear in container-job apk add lines. Since these are workflow-level env:
variables, they are already exported to the shell environment as $GO_RELEASE and
$YARA_X_RELEASE. The fix simply removes the template expression and uses the shell
variables directly — no functional change.

Patch 0002 — fix(ci): add pedantic persona and suppress noisy zizmor rules

• Creates .github/zizmor.yml with:
  • dependabot-cooldown configured to 3 days
  • anonymous-definition, undocumented-permissions, concurrency-limits disabled
    (pedantic-only rules with no security impact)
• Updates .github/workflows/zizmor.yaml:
  • Adds persona: pedantic to the zizmorcore/zizmor-action step so CI catches all
    run: block template expansions going forward
  • Extends paths: triggers to include .github/zizmor.yml and .github/dependabot.yml
    so changes to those files also trigger the workflow check

Patch 0003 — fix(ci): add missing version comments to SHA-pinned action refs

Resolves 6 ref-version-mismatch zizmor findings by annotating SHA-pinned action refs
with their corresponding version:

• chainguard-dev/actions/setup-gitsign@4a81273c (5 occurrences across digestabot.yaml,
  release.yaml, update-yara-x.yaml, version.yaml, third-party.yaml): add # main.
  This action tracks the rolling main branch; no semver tags are published.
• dtolnay/rust-toolchain@e97e2d8 in codeql.yaml: add # v1.

Two additional ref-version-mismatch findings (chainguard-dev/actions/gofmt and
chainguard-dev/actions/goimports) already had # main comments and needed no change.

Note: step-security/harden-runner was at v2.19.0 when this series was drafted;
dependabot bumped it to v2.19.1 upstream before this PR landed, so that update
is not included.

---

Findings not addressed in this series

• 1 superfluous-actions: dtolnay/rust-toolchain in codeql.yaml — zizmor suggests
  replacing with native rustup, but the action provides additional conveniences and the
  security improvement is marginal. Left for repo owners to decide.
• 12 concurrency-limits, 11 anonymous-definition, 8 undocumented-permissions,
  2 dependabot-cooldown — suppressed via .github/zizmor.yml (pedantic-only, no
  security impact).

---

Testing notes

1. Apply patches with git am 0001-*.patch 0002-*.patch 0003-*.patch
2. Verify the template injection fixes do not break CI by checking that:
   • apk add "${GO_RELEASE}" and "yara-x~${YARA_X_RELEASE}" work correctly in the
     container jobs (the workflow-level env vars are passed into the container environment)
   • The fuzz job's go test -fuzz="^${FUZZ_TARGET}$" pattern matches correctly
   • The codeql job's "${WORKSPACE}/yara-x" path resolves correctly
3. Run zizmor --persona=pedantic .github/ against the patched repo to verify zero
   remaining template-injection and ref-version-mismatch findings
4. Confirm zizmor CI workflow triggers on a PR that modifies .github/zizmor.yml

---

Refs: PSEC-923

[stevebeattie]

No change here in the action used, only added a tag comment to match the commit hash. The cover letter mentions that this is an optional thing to address.