Merge pull request #289 from smallstep/carl/cicd-security-hardening

tashian · web-flow · commit 3ff6a7f3cf49 · 2026-03-02T16:18:39.000-08:00
Harden CI/CD workflows against expression injection and secret leakage
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -19,7 +19,6 @@ jobs:
   actionlint:
     name: Lint GitHub workflows
     uses: ./.github/workflows/actionlint.yml
-    secrets: inherit
 
   lint-dummy-app: # NOTE(@azazeal): this check is here to verify that .golangci.yml is valid
     name: Lint dummy app
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -43,9 +43,12 @@ jobs:
       -
         name: Install Dependencies
         if: ${{ inputs.os-dependencies != '' }}
+        env:
+          OS_DEPS: ${{ inputs.os-dependencies }}
         run: |
           sudo apt-get update
-          sudo apt-get install ${{ inputs.os-dependencies }}
+          # shellcheck disable=SC2086
+          sudo apt-get install ${OS_DEPS}
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -109,8 +112,10 @@ jobs:
           make bootstrap
       -
         name: Build
+        env:
+          CODEQL_BUILD_CMD: ${{ inputs.codeql-build-cmd }}
         run: |
-          ${{ inputs.codeql-build-cmd }}
+          eval "${CODEQL_BUILD_CMD}"
       -
         name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -6,14 +6,15 @@ on:
       DEPENDABOT_TOKEN:
         required: true
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   dependabot:
     runs-on: ubuntu-latest
     if: ${{ github.actor == 'dependabot[bot]' }}
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Dependabot metadata
         id: metadata
diff --git a/.github/workflows/goBuild.yml b/.github/workflows/goBuild.yml
@@ -53,9 +53,12 @@ jobs:
       -
         name: Install Dependencies # Some dependencies require this package
         if: ${{ inputs.os-dependencies != '' }}
+        env:
+          OS_DEPS: ${{ inputs.os-dependencies }}
         run: |
           sudo apt-get update
-          sudo apt-get install ${{ inputs.os-dependencies }}
+          # shellcheck disable=SC2086
+          sudo apt-get install ${OS_DEPS}
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -88,4 +91,6 @@ jobs:
             ${{ secrets.SSH_PRIVATE_KEY }}
       -
         name: Build
-        run: ${{ inputs.build-command }}
+        env:
+          BUILD_CMD: ${{ inputs.build-command }}
+        run: eval "${BUILD_CMD}"
diff --git a/.github/workflows/goCI.yml b/.github/workflows/goCI.yml
@@ -104,15 +104,19 @@ jobs:
       os-dependencies: ${{ inputs.os-dependencies }}
       skip-go-generate: ${{ inputs.lint-skip-go-generate }}
       skip-go-mod-tidy: ${{ inputs.lint-skip-go-mod-tidy }}
-    secrets: inherit
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      PAT: ${{ secrets.PAT }}
 
   govulncheck:
     uses: ./.github/workflows/govulncheck.yml
     if: inputs.run-govulncheck
     with:
       os-dependencies: ${{ inputs.os-dependencies }}
       goprivate: ${{ inputs.goprivate }}
-    secrets: inherit
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      PAT: ${{ secrets.PAT }}
 
   codeql:
     if: inputs.run-codeql
@@ -122,7 +126,9 @@ jobs:
       os-dependencies: ${{ inputs.os-dependencies }}
       codeql-make-bootstrap: ${{ inputs.codeql-make-bootstrap }}
       codeql-build-cmd: ${{ inputs.codeql-build-cmd }}
-    secrets: inherit
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      PAT: ${{ secrets.PAT }}
 
   test:
     uses: ./.github/workflows/goTest.yml
@@ -134,7 +140,10 @@ jobs:
       run-codecov: ${{ inputs.run-codecov }}
       setup-bats: ${{ inputs.setup-bats }}
       test-command: ${{ inputs.test-command }}
-    secrets: inherit
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      PAT: ${{ secrets.PAT }}
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
   build:
     uses: ./.github/workflows/goBuild.yml
@@ -144,4 +153,6 @@ jobs:
       goprivate: ${{ inputs.goprivate }}
       only-latest-golang: ${{ inputs.only-latest-golang }}
       os-dependencies: ${{ inputs.os-dependencies }}
-    secrets: inherit
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      PAT: ${{ secrets.PAT }}
diff --git a/.github/workflows/goLint.yml b/.github/workflows/goLint.yml
@@ -39,9 +39,12 @@ jobs:
       -
         name: Install Dependencies # Some dependencies require this package
         if: ${{ inputs.os-dependencies != '' }}
+        env:
+          OS_DEPS: ${{ inputs.os-dependencies }}
         run: |
           sudo apt-get update
-          sudo apt-get install ${{ inputs.os-dependencies }}
+          # shellcheck disable=SC2086
+          sudo apt-get install ${OS_DEPS}
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/goTest.yml b/.github/workflows/goTest.yml
@@ -70,9 +70,12 @@ jobs:
       -
         name: Install Dependencies
         if: inputs.os-dependencies != ''
+        env:
+          OS_DEPS: ${{ inputs.os-dependencies }}
         run: |
           sudo apt-get update
-          sudo apt-get install ${{ inputs.os-dependencies }}
+          # shellcheck disable=SC2086
+          sudo apt-get install ${OS_DEPS}
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -123,8 +126,10 @@ jobs:
             ${{ secrets.SSH_PRIVATE_KEY }}
       -
         name: Install gotestsum
+        env:
+          GOTESTSUM_VERSION: ${{ inputs.gotestsum-version }}
         run: |
-          go install gotest.tools/gotestsum@v${{ inputs.gotestsum-version }}
+          go install "gotest.tools/gotestsum@v${GOTESTSUM_VERSION}"
       -
         name: Setup BATS
         if: inputs.setup-bats
@@ -133,9 +138,10 @@ jobs:
           bats-version: 1.9.0
       -
         name: Run Test Suite
-        run: ${{ inputs.test-command }}
         env:
+          TEST_CMD: ${{ inputs.test-command }}
           GOTESTSUM_JSONFILE: gotestsum.json
+        run: eval "${TEST_CMD}"
 
       -
         name: Annotate Test Suite Results
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
@@ -79,9 +79,12 @@ jobs:
       -
         name: Install Dependencies # Some dependencies require this package
         if: ${{ inputs.os-dependencies != '' }}
+        env:
+          OS_DEPS: ${{ inputs.os-dependencies }}
         run: |
           sudo apt-get update
-          sudo apt-get install ${{ inputs.os-dependencies }}
+          # shellcheck disable=SC2086
+          sudo apt-get install ${OS_DEPS}
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
@@ -23,9 +23,12 @@ jobs:
       -
         name: Install Dependencies # Some dependencies require this package
         if: ${{ inputs.os-dependencies != '' }}
+        env:
+          OS_DEPS: ${{ inputs.os-dependencies }}
         run: |
           sudo apt-get update
-          sudo apt-get install ${{ inputs.os-dependencies }}
+          # shellcheck disable=SC2086
+          sudo apt-get install ${OS_DEPS}
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml
@@ -15,6 +15,10 @@ on:
         type: boolean
         default: true
 
+permissions:
+  pull-requests: write
+  issues: write
+
 jobs:
   label-pr:
     name: Label PR

Original file line number	Diff line number	Diff line change
`@@ -39,9 +39,12 @@ jobs:`
`39`	`39`	`-`
`40`	`40`	`name: Install Dependencies # Some dependencies require this package`
`41`	`41`	`if: ${{ inputs.os-dependencies != '' }}`
	`42`	`+ env:`
	`43`	`+ OS_DEPS: ${{ inputs.os-dependencies }}`
`42`	`44`	`run: \|`
`43`	`45`	`sudo apt-get update`
`44`		`- sudo apt-get install ${{ inputs.os-dependencies }}`
	`46`	`+ # shellcheck disable=SC2086`
	`47`	`+ sudo apt-get install ${OS_DEPS}`
`45`	`48`	`-`
`46`	`49`	`name: Checkout`
`47`	`50`	`uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2`
Original file line number	Diff line number	Diff line change
`@@ -79,9 +79,12 @@ jobs:`
`79`	`79`	`-`
`80`	`80`	`name: Install Dependencies # Some dependencies require this package`
`81`	`81`	`if: ${{ inputs.os-dependencies != '' }}`
	`82`	`+ env:`
	`83`	`+ OS_DEPS: ${{ inputs.os-dependencies }}`
`82`	`84`	`run: \|`
`83`	`85`	`sudo apt-get update`
`84`		`- sudo apt-get install ${{ inputs.os-dependencies }}`
	`86`	`+ # shellcheck disable=SC2086`
	`87`	`+ sudo apt-get install ${OS_DEPS}`
`85`	`88`	`-`
`86`	`89`	`name: Checkout`
`87`	`90`	`uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2`
Original file line number	Diff line number	Diff line change
`@@ -23,9 +23,12 @@ jobs:`
`23`	`23`	`-`
`24`	`24`	`name: Install Dependencies # Some dependencies require this package`
`25`	`25`	`if: ${{ inputs.os-dependencies != '' }}`
	`26`	`+ env:`
	`27`	`+ OS_DEPS: ${{ inputs.os-dependencies }}`
`26`	`28`	`run: \|`
`27`	`29`	`sudo apt-get update`
`28`		`- sudo apt-get install ${{ inputs.os-dependencies }}`
	`30`	`+ # shellcheck disable=SC2086`
	`31`	`+ sudo apt-get install ${OS_DEPS}`
`29`	`32`	`-`
`30`	`33`	`name: Checkout`
`31`	`34`	`uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2`