Harden GitHub Actions workflows against expression injection and secret leakage

tashian · claude · tashian · commit 6e99b299c2d2 · 2026-03-02T16:01:39.000-08:00
- Replace direct ${{ inputs.* }} interpolation in run: blocks with env: vars to prevent shell injection (goBuild, goTest, goLint, govulncheck, codeql, goreleaser) - Replace secrets: inherit with explicit per-workflow secret forwarding in goCI.yml - Remove unnecessary secrets: inherit from actionlint call in ci.yml - Add least-privilege permissions: block to triage.yml reusable workflow - Move permissions from workflow-level to job-level in dependabot-auto-merge.yml Ref: https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -19,7 +19,6 @@ jobs:
   actionlint:
     name: Lint GitHub workflows
     uses: ./.github/workflows/actionlint.yml
-    secrets: inherit
 
   lint-dummy-app: # NOTE(@azazeal): this check is here to verify that .golangci.yml is valid
     name: Lint dummy app
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -43,9 +43,11 @@ jobs:
       -
         name: Install Dependencies
         if: ${{ inputs.os-dependencies != '' }}
+        env:
+          OS_DEPS: ${{ inputs.os-dependencies }}
         run: |
           sudo apt-get update
-          sudo apt-get install ${{ inputs.os-dependencies }}
+          sudo apt-get install ${OS_DEPS}
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -109,8 +111,10 @@ jobs:
           make bootstrap
       -
         name: Build
+        env:
+          CODEQL_BUILD_CMD: ${{ inputs.codeql-build-cmd }}
         run: |
-          ${{ inputs.codeql-build-cmd }}
+          ${CODEQL_BUILD_CMD}
       -
         name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -6,14 +6,15 @@ on:
       DEPENDABOT_TOKEN:
         required: true
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   dependabot:
     runs-on: ubuntu-latest
     if: ${{ github.actor == 'dependabot[bot]' }}
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Dependabot metadata
         id: metadata
diff --git a/.github/workflows/goBuild.yml b/.github/workflows/goBuild.yml
@@ -53,9 +53,11 @@ jobs:
       -
         name: Install Dependencies # Some dependencies require this package
         if: ${{ inputs.os-dependencies != '' }}
+        env:
+          OS_DEPS: ${{ inputs.os-dependencies }}
         run: |
           sudo apt-get update
-          sudo apt-get install ${{ inputs.os-dependencies }}
+          sudo apt-get install ${OS_DEPS}
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -88,4 +90,6 @@ jobs:
             ${{ secrets.SSH_PRIVATE_KEY }}
       -
         name: Build
-        run: ${{ inputs.build-command }}
+        env:
+          BUILD_CMD: ${{ inputs.build-command }}
+        run: ${BUILD_CMD}
diff --git a/.github/workflows/goCI.yml b/.github/workflows/goCI.yml
@@ -104,15 +104,19 @@ jobs:
       os-dependencies: ${{ inputs.os-dependencies }}
       skip-go-generate: ${{ inputs.lint-skip-go-generate }}
       skip-go-mod-tidy: ${{ inputs.lint-skip-go-mod-tidy }}
-    secrets: inherit
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      PAT: ${{ secrets.PAT }}
 
   govulncheck:
     uses: ./.github/workflows/govulncheck.yml
     if: inputs.run-govulncheck
     with:
       os-dependencies: ${{ inputs.os-dependencies }}
       goprivate: ${{ inputs.goprivate }}
-    secrets: inherit
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      PAT: ${{ secrets.PAT }}
 
   codeql:
     if: inputs.run-codeql
@@ -122,7 +126,9 @@ jobs:
       os-dependencies: ${{ inputs.os-dependencies }}
       codeql-make-bootstrap: ${{ inputs.codeql-make-bootstrap }}
       codeql-build-cmd: ${{ inputs.codeql-build-cmd }}
-    secrets: inherit
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      PAT: ${{ secrets.PAT }}
 
   test:
     uses: ./.github/workflows/goTest.yml
@@ -134,7 +140,10 @@ jobs:
       run-codecov: ${{ inputs.run-codecov }}
       setup-bats: ${{ inputs.setup-bats }}
       test-command: ${{ inputs.test-command }}
-    secrets: inherit
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      PAT: ${{ secrets.PAT }}
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
   build:
     uses: ./.github/workflows/goBuild.yml
@@ -144,4 +153,6 @@ jobs:
       goprivate: ${{ inputs.goprivate }}
       only-latest-golang: ${{ inputs.only-latest-golang }}
       os-dependencies: ${{ inputs.os-dependencies }}
-    secrets: inherit
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      PAT: ${{ secrets.PAT }}
diff --git a/.github/workflows/goLint.yml b/.github/workflows/goLint.yml
@@ -39,9 +39,11 @@ jobs:
       -
         name: Install Dependencies # Some dependencies require this package
         if: ${{ inputs.os-dependencies != '' }}
+        env:
+          OS_DEPS: ${{ inputs.os-dependencies }}
         run: |
           sudo apt-get update
-          sudo apt-get install ${{ inputs.os-dependencies }}
+          sudo apt-get install ${OS_DEPS}
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/goTest.yml b/.github/workflows/goTest.yml
@@ -70,9 +70,11 @@ jobs:
       -
         name: Install Dependencies
         if: inputs.os-dependencies != ''
+        env:
+          OS_DEPS: ${{ inputs.os-dependencies }}
         run: |
           sudo apt-get update
-          sudo apt-get install ${{ inputs.os-dependencies }}
+          sudo apt-get install ${OS_DEPS}
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -123,8 +125,10 @@ jobs:
             ${{ secrets.SSH_PRIVATE_KEY }}
       -
         name: Install gotestsum
+        env:
+          GOTESTSUM_VERSION: ${{ inputs.gotestsum-version }}
         run: |
-          go install gotest.tools/gotestsum@v${{ inputs.gotestsum-version }}
+          go install gotest.tools/gotestsum@v${GOTESTSUM_VERSION}
       -
         name: Setup BATS
         if: inputs.setup-bats
@@ -133,9 +137,10 @@ jobs:
           bats-version: 1.9.0
       -
         name: Run Test Suite
-        run: ${{ inputs.test-command }}
         env:
+          TEST_CMD: ${{ inputs.test-command }}
           GOTESTSUM_JSONFILE: gotestsum.json
+        run: ${TEST_CMD}
 
       -
         name: Annotate Test Suite Results
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
@@ -79,9 +79,11 @@ jobs:
       -
         name: Install Dependencies # Some dependencies require this package
         if: ${{ inputs.os-dependencies != '' }}
+        env:
+          OS_DEPS: ${{ inputs.os-dependencies }}
         run: |
           sudo apt-get update
-          sudo apt-get install ${{ inputs.os-dependencies }}
+          sudo apt-get install ${OS_DEPS}
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
@@ -23,9 +23,11 @@ jobs:
       -
         name: Install Dependencies # Some dependencies require this package
         if: ${{ inputs.os-dependencies != '' }}
+        env:
+          OS_DEPS: ${{ inputs.os-dependencies }}
         run: |
           sudo apt-get update
-          sudo apt-get install ${{ inputs.os-dependencies }}
+          sudo apt-get install ${OS_DEPS}
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml
@@ -15,6 +15,10 @@ on:
         type: boolean
         default: true
 
+permissions:
+  pull-requests: write
+  issues: write
+
 jobs:
   label-pr:
     name: Label PR

Original file line number	Diff line number	Diff line change
`@@ -43,9 +43,11 @@ jobs:`
`43`	`43`	`-`
`44`	`44`	`name: Install Dependencies`
`45`	`45`	`if: ${{ inputs.os-dependencies != '' }}`
	`46`	`+ env:`
	`47`	`+ OS_DEPS: ${{ inputs.os-dependencies }}`
`46`	`48`	`run: \|`
`47`	`49`	`sudo apt-get update`
`48`		`- sudo apt-get install ${{ inputs.os-dependencies }}`
	`50`	`+ sudo apt-get install ${OS_DEPS}`
`49`	`51`	`-`
`50`	`52`	`name: Checkout`
`51`	`53`	`uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2`
`@@ -109,8 +111,10 @@ jobs:`
`109`	`111`	`make bootstrap`
`110`	`112`	`-`
`111`	`113`	`name: Build`
	`114`	`+ env:`
	`115`	`+ CODEQL_BUILD_CMD: ${{ inputs.codeql-build-cmd }}`
`112`	`116`	`run: \|`
`113`		`- ${{ inputs.codeql-build-cmd }}`
	`117`	`+ ${CODEQL_BUILD_CMD}`
`114`	`118`	`-`
`115`	`119`	`name: Perform CodeQL Analysis`
`116`	`120`	`uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4`
Original file line number	Diff line number	Diff line change
`@@ -39,9 +39,11 @@ jobs:`
`39`	`39`	`-`
`40`	`40`	`name: Install Dependencies # Some dependencies require this package`
`41`	`41`	`if: ${{ inputs.os-dependencies != '' }}`
	`42`	`+ env:`
	`43`	`+ OS_DEPS: ${{ inputs.os-dependencies }}`
`42`	`44`	`run: \|`
`43`	`45`	`sudo apt-get update`
`44`		`- sudo apt-get install ${{ inputs.os-dependencies }}`
	`46`	`+ sudo apt-get install ${OS_DEPS}`
`45`	`47`	`-`
`46`	`48`	`name: Checkout`
`47`	`49`	`uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2`
Original file line number	Diff line number	Diff line change
`@@ -70,9 +70,11 @@ jobs:`
`70`	`70`	`-`
`71`	`71`	`name: Install Dependencies`
`72`	`72`	`if: inputs.os-dependencies != ''`
	`73`	`+ env:`
	`74`	`+ OS_DEPS: ${{ inputs.os-dependencies }}`
`73`	`75`	`run: \|`
`74`	`76`	`sudo apt-get update`
`75`		`- sudo apt-get install ${{ inputs.os-dependencies }}`
	`77`	`+ sudo apt-get install ${OS_DEPS}`
`76`	`78`	`-`
`77`	`79`	`name: Checkout`
`78`	`80`	`uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2`
`@@ -123,8 +125,10 @@ jobs:`
`123`	`125`	`${{ secrets.SSH_PRIVATE_KEY }}`
`124`	`126`	`-`
`125`	`127`	`name: Install gotestsum`
	`128`	`+ env:`
	`129`	`+ GOTESTSUM_VERSION: ${{ inputs.gotestsum-version }}`
`126`	`130`	`run: \|`
`127`		`- go install gotest.tools/gotestsum@v${{ inputs.gotestsum-version }}`
	`131`	`+ go install gotest.tools/gotestsum@v${GOTESTSUM_VERSION}`
`128`	`132`	`-`
`129`	`133`	`name: Setup BATS`
`130`	`134`	`if: inputs.setup-bats`
`@@ -133,9 +137,10 @@ jobs:`
`133`	`137`	`bats-version: 1.9.0`
`134`	`138`	`-`
`135`	`139`	`name: Run Test Suite`
`136`		`- run: ${{ inputs.test-command }}`
`137`	`140`	`env:`
	`141`	`+ TEST_CMD: ${{ inputs.test-command }}`
`138`	`142`	`GOTESTSUM_JSONFILE: gotestsum.json`
	`143`	`+ run: ${TEST_CMD}`
`139`	`144`
`140`	`145`	`-`
`141`	`146`	`name: Annotate Test Suite Results`
Original file line number	Diff line number	Diff line change
`@@ -79,9 +79,11 @@ jobs:`
`79`	`79`	`-`
`80`	`80`	`name: Install Dependencies # Some dependencies require this package`
`81`	`81`	`if: ${{ inputs.os-dependencies != '' }}`
	`82`	`+ env:`
	`83`	`+ OS_DEPS: ${{ inputs.os-dependencies }}`
`82`	`84`	`run: \|`
`83`	`85`	`sudo apt-get update`
`84`		`- sudo apt-get install ${{ inputs.os-dependencies }}`
	`86`	`+ sudo apt-get install ${OS_DEPS}`
`85`	`87`	`-`
`86`	`88`	`name: Checkout`
`87`	`89`	`uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2`
Original file line number	Diff line number	Diff line change
`@@ -23,9 +23,11 @@ jobs:`
`23`	`23`	`-`
`24`	`24`	`name: Install Dependencies # Some dependencies require this package`
`25`	`25`	`if: ${{ inputs.os-dependencies != '' }}`
	`26`	`+ env:`
	`27`	`+ OS_DEPS: ${{ inputs.os-dependencies }}`
`26`	`28`	`run: \|`
`27`	`29`	`sudo apt-get update`
`28`		`- sudo apt-get install ${{ inputs.os-dependencies }}`
	`30`	`+ sudo apt-get install ${OS_DEPS}`
`29`	`31`	`-`
`30`	`32`	`name: Checkout`
`31`	`33`	`uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2`