Improve security of GitHub Actions workflows

Signed-off-by: Caleb Xu <caxu@redhat.com>

Author: caxu-rh

.github/workflows/add-release-info-to-pyxis.yml

@@ -41,9 +41,12 @@ jobs:
           --key '${{ env.KEY_FILE_LOCATION }}' \
           --pass '${{ secrets.certificatePassword }}' \
           -H 'Content-Type: application/json' \
-          -d '{"commit":"${{ inputs.commit }}","enabled_for_testing":true,"name":"github.com/redhat-openshift-ecosystem/openshift-preflight","version":"${{ inputs.tag }}"}' \
+          -d ${DATA_PAYLOAD} \
           -X POST \
-          'https://${{ inputs.host }}/v1/tools' | jq
+          ${PYXIS_ENDPOINT} | jq
+        env:
+          DATA_PAYLOAD: '{"commit":"${{ inputs.commit }}","enabled_for_testing":true,"name":"github.com/redhat-openshift-ecosystem/openshift-preflight","version":"${{ inputs.tag }}"}'
+          PYXIS_ENDPOINT: 'https://${{ inputs.host }}/v1/tools'
 
       - name: Cleanup
         if: always()

.github/workflows/build-main.yml

@@ -6,31 +6,39 @@ on:
 
 env:
   IMAGE_NAME: preflight
-  
+
 jobs:
   build-main:
+    # TODO: Set explicit permissions for this job.
+    # zizmor: ignore[excessive-permissions]
     name: Build and push main snapshot images
     strategy: 
       matrix:
         architecture: [amd64,ppc64le,arm64,s390x]
         platform: [linux]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
+
     - name: Fetch latest release version
-      uses: reloc8/action-latest-release-version@1.0.0
+      uses: reloc8/action-latest-release-version@b8d6337f30390558e7874a044d6a3c1314314bab # 1.0.0
       id: fetch-latest-release
-    - name: Set Env Tags
-      run: echo RELEASE_TAG=${{ steps.fetch-latest-release.outputs.latest-release }} >> $GITHUB_ENV
-    - name: set short sha
-      run: echo SHA_SHORT=$(git rev-parse --short HEAD) >> $GITHUB_ENV
+
+    - name: Set release tag and short SHA
+      run: |
+        echo RELEASE_TAG=${RELEASE_TAG} >> $GITHUB_ENV
+        echo SHA_SHORT=$(git rev-parse --short HEAD) >> $GITHUB_ENV
+      env:
+        RELEASE_TAG: ${{ steps.fetch-latest-release.outputs.latest-release }}
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
     - name: Build Image
       id: build-image
-      uses: redhat-actions/buildah-build@v2
+      uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
       with:
         image: ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
         tags: ${{ env.SHA_SHORT }}-${{ matrix.platform }}-${{ matrix.architecture }}
@@ -44,7 +52,7 @@ jobs:
 
     - name: Push Image
       id: push-image
-      uses: redhat-actions/push-to-registry@v2
+      uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
       with:
         image: ${{ env.IMAGE_NAME }}
         tags: ${{ env.SHA_SHORT }}-${{ matrix.platform }}-${{ matrix.architecture }}
@@ -53,22 +61,28 @@ jobs:
         password: ${{ secrets.REGISTRY_PASSWORD }}
 
     - name: Print image url
-      run: echo "Image pushed to ${{ steps.push-image.outputs.registry-paths }}"
+      run: echo "Image pushed to ${REGISTRY_PATHS}"
+      env:
+        REGISTRY_PATHS: ${{ steps.push-image.outputs.registry-paths }}
 
     outputs:
       imageName: ${{ env.IMAGE_NAME }}
       imageVersion: ${{ env.SHA_SHORT }}
 
   build-coverage:
+    # TODO: Set explicit permissions for this job.
+    # zizmor: ignore[excessive-permissions]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
 
     - name: Install system deps
       run: 'sudo apt update && sudo apt install -y libgpgme-dev libbtrfs-dev libdevmapper-dev'
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
         go-version-file: go.mod
 
@@ -85,12 +99,14 @@ jobs:
       run: make cover
 
     - name: Coveralls
-      uses: coverallsapp/github-action@v2
+      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
         file: coverage.out
 
   build-multiarch:
+    # TODO: Set explicit permissions for this job.
+    # zizmor: ignore[excessive-permissions]
     needs: build-main
     uses: ./.github/workflows/build-multiarch.yml
     with:

.github/workflows/build-multiarch.yml

@@ -55,37 +55,49 @@ jobs:
 
       # Authenticate to container image registry to push the image
       - name: Podman Login
-        uses: redhat-actions/podman-login@v1
+        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           registry: ${{ secrets.registry }}
           username: ${{ secrets.user }}
           password: ${{ secrets.password }}
 
       - name: Create and add to manifest
         run: |
-          buildah manifest create ${{ inputs.name }}
-          buildah manifest add ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-linux-amd64
-          buildah manifest add ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-linux-ppc64le
-          buildah manifest add ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-linux-arm64
-          buildah manifest add ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-linux-s390x
+          buildah manifest create ${INPUT_NAME}
+          buildah manifest add ${INPUT_NAME} ${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}-linux-amd64
+          buildah manifest add ${INPUT_NAME} ${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}-linux-ppc64le
+          buildah manifest add ${INPUT_NAME} ${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}-linux-arm64
+          buildah manifest add ${INPUT_NAME} ${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}-linux-s390x
+        env:
+          INPUT_NAME: ${{ inputs.name }}
+          INPUT_TAG: ${{ inputs.tag }}
 
       - name: Push manifest
         id: push-manifest
         run: |
-            podman manifest push --digestfile imagedigest ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}  --all
+            podman manifest push --digestfile imagedigest ${INPUT_NAME} ${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}  --all
             echo "digest=$(cat imagedigest)" | tee -a $GITHUB_OUTPUT
+        env:
+          INPUT_NAME: ${{ inputs.name }}
+          INPUT_TAG: ${{ inputs.tag }}
 
       - name: Sign the published manifest
         # only sign if release is published, not for ghactions branch push
         # which is used for testing and development.
         if: ${{ inputs.sign == true && github.event.release && github.event.action == 'published' }}
         run: |
-          cosign sign --yes --recursive ${{ secrets.registry }}/${{ inputs.name }}@${{ steps.push-manifest.outputs.digest }}
+          cosign sign --yes --recursive ${{ secrets.registry }}/${INPUT_NAME}@${DIGEST}
+        env:
+          DIGEST: ${{ steps.push-manifest.outputs.digest }}
+          INPUT_NAME: ${{ inputs.name }}
 
       - name: Verify the image signature
         if: ${{ inputs.sign == true && github.event.release && github.event.action == 'published' }}
         run: |
           cosign verify \
-            --certificate-identity https://github.com/${{ github.repository }}/.github/workflows/build-multiarch.yml@refs/tags/${{ inputs.tag }} \
+            --certificate-identity https://github.com/${{ github.repository }}/.github/workflows/build-multiarch.yml@refs/tags/${INPUT_TAG} \
             --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-            ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}
+            ${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}
+        env:
+          INPUT_NAME: ${{ inputs.name }}
+          INPUT_TAG: ${{ inputs.tag }}

.github/workflows/build-release.yml

@@ -12,23 +12,28 @@ env:
 
 jobs:
   build-release:
+    # TODO: Set explicit permissions for this job.
+    # zizmor: ignore[excessive-permissions]
     name: Build and push tag images
     strategy:
       matrix:
         architecture: [amd64,ppc64le,arm64,s390x]
         platform: [linux]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
+
     - name: Set Env Tags
       run: echo RELEASE_TAG=$(echo $GITHUB_REF | cut -d '/' -f 3) >> $GITHUB_ENV
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
     - name: Build Image
       id: build-image
-      uses: redhat-actions/buildah-build@v2
+      uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
       with:
         image: ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
         tags: ${{ env.RELEASE_TAG }}-${{ matrix.platform }}-${{ matrix.architecture }}
@@ -41,7 +46,7 @@ jobs:
 
     - name: Push Image
       id: push-image
-      uses: redhat-actions/push-to-registry@v2
+      uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
       with:
         image: ${{ env.IMAGE_NAME }}
         tags: ${{ env.RELEASE_TAG }}-${{ matrix.platform }}-${{ matrix.architecture }}
@@ -50,7 +55,9 @@ jobs:
         password: ${{ secrets.REGISTRY_PASSWORD }}
 
     - name: Print image url
-      run: echo "Image pushed to ${{ steps.push-image.outputs.registry-paths }}"
+      run: echo "Image pushed to ${REGISTRY_PATHS}"
+      env:
+        REGISTRY_PATHS: ${{ steps.push-image.outputs.registry-paths }}
 
     outputs:
       imageName: ${{ env.IMAGE_NAME }}
@@ -78,6 +85,8 @@ jobs:
       token: ${{ secrets.GITHUB_TOKEN }}
 
   extract-assets:
+    # TODO: Set explicit permissions for this job.
+    # zizmor: ignore[excessive-permissions]
     needs: build-release
     uses: ./.github/workflows/release-artifacts.yml
     with:
@@ -90,6 +99,8 @@ jobs:
       token: ${{ secrets.GITHUB_TOKEN }}
 
   add-release-info-to-pyxis:
+    # TODO: Set explicit permissions for this job.
+    # zizmor: ignore[excessive-permissions]
     needs: [build-release, extract-assets]
     uses: ./.github/workflows/add-release-info-to-pyxis.yml
     if: "!github.event.release.prerelease"
@@ -103,6 +114,8 @@ jobs:
       certificatePassword: ${{ secrets.PREFLIGHT_RELEASE_PASSWORD }}
 
   copy-to-rhisv:
+    # TODO: Set explicit permissions for this job.
+    # zizmor: ignore[excessive-permissions]
     needs: [build-release, build-multiarch]
     uses: ./.github/workflows/copy-to-rhisv.yml
     with:

.github/workflows/check-actions.yml

@@ -0,0 +1,23 @@
+name: Analyze GitHub Actions security
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
+        with:
+          advanced-security: false

.github/workflows/code-review.yml

@@ -1,12 +1,18 @@
 name: Gemini AI Code Review
 
-on:
+# pull_request_target is needed to access the Gemini key and modify (set/remove labels, comment on)
+# the pull request.
+on: # zizmor: ignore[dangerous-triggers]
   pull_request_target:
     types: [opened, synchronize, reopened, labeled]
 
+# TODO: Assign permissions in individual jobs rather than at the
+# workflow level to avoid blindly handing out `pull-requests: write`
+# at the workflow level to all jobs (particularly if new jobs are
+# added in this workflow in the future).
 permissions:
   contents: read
-  pull-requests: write
+  pull-requests: write # zizmor: ignore[excessive-permissions]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
@@ -21,15 +27,19 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
       - name: Handle review label
         id: prep
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
+          LABEL_JSON: ${{ toJSON(github.event.pull_request.labels.*.name) }}
+          EVENT_ACTION: ${{ github.event.action }}
         run: |
-          HAS_LABEL=$(echo '${{ toJSON(github.event.pull_request.labels.*.name) }}' | jq 'any(. == "gemini-review")')
-          EVENT_ACTION="${{ github.event.action }}"
+          HAS_LABEL=$(jq -n 'env.LABEL_JSON | fromjson | any(. == "gemini-review")')
 
           if [[ "$HAS_LABEL" == "true" && "$EVENT_ACTION" != "labeled" ]]; then
             echo "gemini-review label found on a '${EVENT_ACTION}' event. Removing label and skipping review."
@@ -52,10 +62,11 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
+          persist-credentials: false
           fetch-depth: 0
 
       - name: Gemini AI Code Review
-        uses: sshnaidm/gemini-code-review-action@d4ccdaf0e2cad5cb79f80f6db07857c0e7fff28f
+        uses: sshnaidm/gemini-code-review-action@d4ccdaf0e2cad5cb79f80f6db07857c0e7fff28f # v1
         with:
           gemini-key: ${{ secrets.GEMINI_API_KEY }}
           model: 'gemini-2.5-flash'

.github/workflows/copy-to-rhisv.yml

@@ -28,18 +28,24 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Podman Login
-      uses: redhat-actions/podman-login@v1
+      uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
       with:
-        registry: ${{ secrets.destImageRegistry }}
+        registry: ${DEST_IMAGE_REGISTRY}
         username: ${{ secrets.destRegistryUser }}
         password: ${{ secrets.destRegistryPassword }}
 
     - name: Copy Images from Source to Dest
       id: skopeo-copy-image
       run: |
         skopeo -v
-        skopeo copy --all --preserve-digests docker://${{ secrets.sourceImageRegistry }}/${{ inputs.sourceImageName }}:${{ inputs.sourceImageTag }}-linux-amd64 docker://${{ secrets.destImageRegistry }}/${{ inputs.destImageName }}:${{ inputs.sourceImageTag }}-linux-amd64
-        skopeo copy --all --preserve-digests docker://${{ secrets.sourceImageRegistry }}/${{ inputs.sourceImageName }}:${{ inputs.sourceImageTag }}-linux-ppc64le docker://${{ secrets.destImageRegistry }}/${{ inputs.destImageName }}:${{ inputs.sourceImageTag }}-linux-ppc64le
-        skopeo copy --all --preserve-digests docker://${{ secrets.sourceImageRegistry }}/${{ inputs.sourceImageName }}:${{ inputs.sourceImageTag }}-linux-arm64 docker://${{ secrets.destImageRegistry }}/${{ inputs.destImageName }}:${{ inputs.sourceImageTag }}-linux-arm64
-        skopeo copy --all --preserve-digests docker://${{ secrets.sourceImageRegistry }}/${{ inputs.sourceImageName }}:${{ inputs.sourceImageTag }}-linux-s390x docker://${{ secrets.destImageRegistry }}/${{ inputs.destImageName }}:${{ inputs.sourceImageTag }}-linux-s390x
-        skopeo copy --all --preserve-digests docker://${{ secrets.sourceImageRegistry }}/${{ inputs.sourceImageName }}:${{ inputs.sourceImageTag }} docker://${{ secrets.destImageRegistry }}/${{ inputs.destImageName }}:${{ inputs.sourceImageTag }}
+        skopeo copy --all --preserve-digests docker://${SOURCE_IMAGE_REGISTRY}/${SOURCE_IMAGE_NAME}:${SOURCE_IMAGE_TAG}-linux-amd64 docker://${DEST_IMAGE_REGISTRY}/${DEST_IMAGE_NAME}:${SOURCE_IMAGE_TAG}-linux-amd64
+        skopeo copy --all --preserve-digests docker://${SOURCE_IMAGE_REGISTRY}/${SOURCE_IMAGE_NAME}:${SOURCE_IMAGE_TAG}-linux-ppc64le docker://${DEST_IMAGE_REGISTRY}/${DEST_IMAGE_NAME}:${SOURCE_IMAGE_TAG}-linux-ppc64le
+        skopeo copy --all --preserve-digests docker://${SOURCE_IMAGE_REGISTRY}/${SOURCE_IMAGE_NAME}:${SOURCE_IMAGE_TAG}-linux-arm64 docker://${DEST_IMAGE_REGISTRY}/${DEST_IMAGE_NAME}:${SOURCE_IMAGE_TAG}-linux-arm64
+        skopeo copy --all --preserve-digests docker://${SOURCE_IMAGE_REGISTRY}/${SOURCE_IMAGE_NAME}:${SOURCE_IMAGE_TAG}-linux-s390x docker://${DEST_IMAGE_REGISTRY}/${DEST_IMAGE_NAME}:${SOURCE_IMAGE_TAG}-linux-s390x
+        skopeo copy --all --preserve-digests docker://${SOURCE_IMAGE_REGISTRY}/${SOURCE_IMAGE_NAME}:${SOURCE_IMAGE_TAG} docker://${DEST_IMAGE_REGISTRY}/${DEST_IMAGE_NAME}:${SOURCE_IMAGE_TAG}
+      env:
+        SOURCE_IMAGE_REGISTRY: ${{ secrets.sourceImageRegistry }}
+        SOURCE_IMAGE_NAME: ${{ inputs.sourceImageName }}
+        SOURCE_IMAGE_TAG: ${{ inputs.sourceImageTag }}
+        DEST_IMAGE_REGISTRY: ${{ secrets.destImageRegistry }}
+        DEST_IMAGE_NAME: ${{ inputs.destImageName }}

.github/workflows/go.yml

@@ -8,9 +8,13 @@ on:
 
 jobs:
   build:
+    # TODO: Set explicit permissions for this job.
+    # zizmor: ignore[excessive-permissions]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
 
     - name: Install system deps
       run: 'sudo apt update && sudo apt install -y libgpgme-dev libbtrfs-dev libdevmapper-dev'
@@ -36,7 +40,7 @@ jobs:
       run: make cover
 
     - name: Coveralls
-      uses: coverallsapp/github-action@v2
+      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
         file: coverage.out