Improve security of GitHub Actions workflows

Signed-off-by: Caleb Xu <caxu@redhat.com>

Author: caxu-rh

.github/workflows/add-release-info-to-pyxis.yml

@@ -37,13 +37,16 @@ jobs:
       - name: Call Pyxis API
         run: |
           curl --fail-with-body \
-          --cert '${{ env.CERT_FILE_LOCATION }}' \
-          --key '${{ env.KEY_FILE_LOCATION }}' \
+          --cert "${CERT_FILE_LOCATION}" \
+          --key "${KEY_FILE_LOCATION}" \
           --pass '${{ secrets.certificatePassword }}' \
           -H 'Content-Type: application/json' \
-          -d '{"commit":"${{ inputs.commit }}","enabled_for_testing":true,"name":"github.com/redhat-openshift-ecosystem/openshift-preflight","version":"${{ inputs.tag }}"}' \
+          -d "${DATA_PAYLOAD}" \
           -X POST \
-          'https://${{ inputs.host }}/v1/tools' | jq
+          "${PYXIS_ENDPOINT}" | jq
+        env:
+          DATA_PAYLOAD: '{"commit":"${{ inputs.commit }}","enabled_for_testing":true,"name":"github.com/redhat-openshift-ecosystem/openshift-preflight","version":"${{ inputs.tag }}"}'
+          PYXIS_ENDPOINT: 'https://${{ inputs.host }}/v1/tools'
 
       - name: Cleanup
         if: always()

.github/workflows/build-main.yml

@@ -6,31 +6,38 @@ on:
 
 env:
   IMAGE_NAME: preflight
-  
+
 jobs:
   build-main:
+    # TODO: Set explicit permissions for this job.
+    # zizmor: ignore[excessive-permissions]
     name: Build and push main snapshot images
     strategy: 
       matrix:
         architecture: [amd64,ppc64le,arm64,s390x]
         platform: [linux]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
     - name: Fetch latest release version
-      uses: reloc8/action-latest-release-version@1.0.0
+      uses: reloc8/action-latest-release-version@b8d6337f30390558e7874a044d6a3c1314314bab # 1.0.0
       id: fetch-latest-release
-    - name: Set Env Tags
-      run: echo RELEASE_TAG=${{ steps.fetch-latest-release.outputs.latest-release }} >> $GITHUB_ENV
-    - name: set short sha
-      run: echo SHA_SHORT=$(git rev-parse --short HEAD) >> $GITHUB_ENV
+
+    - name: Set release tag and short SHA
+      run: |
+        echo "RELEASE_TAG=${RELEASE_TAG}" >> "${GITHUB_ENV}"
+        echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}"
+      env:
+        RELEASE_TAG: ${{ steps.fetch-latest-release.outputs.latest-release }}
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
     - name: Build Image
       id: build-image
-      uses: redhat-actions/buildah-build@v2
+      uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
       with:
         image: ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
         tags: ${{ env.SHA_SHORT }}-${{ matrix.platform }}-${{ matrix.architecture }}
@@ -44,7 +51,7 @@ jobs:
 
     - name: Run and Validate Image
       run: |
-        if ! podman run --rm ${IMAGE_WITH_TAG} version; then
+        if ! podman run --rm "${IMAGE_WITH_TAG}" version; then
             echo "Image validation failed. The 'podman run' command returned a non-zero exit code."
             exit 1
         fi
@@ -53,7 +60,7 @@ jobs:
 
     - name: Push Image
       id: push-image
-      uses: redhat-actions/push-to-registry@v2
+      uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
       with:
         image: ${{ env.IMAGE_NAME }}
         tags: ${{ env.SHA_SHORT }}-${{ matrix.platform }}-${{ matrix.architecture }}
@@ -62,22 +69,28 @@ jobs:
         password: ${{ secrets.REGISTRY_PASSWORD }}
 
     - name: Print image url
-      run: echo "Image pushed to ${{ steps.push-image.outputs.registry-paths }}"
+      run: echo "Image pushed to ${REGISTRY_PATHS}"
+      env:
+        REGISTRY_PATHS: ${{ steps.push-image.outputs.registry-paths }}
 
     outputs:
       imageName: ${{ env.IMAGE_NAME }}
       imageVersion: ${{ env.SHA_SHORT }}
 
   build-coverage:
+    # TODO: Set explicit permissions for this job.
+    # zizmor: ignore[excessive-permissions]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
 
     - name: Install system deps
       run: 'sudo apt update && sudo apt install -y libgpgme-dev libbtrfs-dev libdevmapper-dev'
 
     - name: Set up Go
-      uses: actions/setup-go@v6
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
       with:
         go-version-file: go.mod
 
@@ -94,12 +107,14 @@ jobs:
       run: make cover
 
     - name: Coveralls
-      uses: coverallsapp/github-action@v2
+      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
         file: coverage.out
 
   build-multiarch:
+    # TODO: Set explicit permissions for this job.
+    # zizmor: ignore[excessive-permissions]
     needs: build-main
     uses: ./.github/workflows/build-multiarch.yml
     with:

.github/workflows/build-multiarch.yml

@@ -55,37 +55,49 @@ jobs:
 
       # Authenticate to container image registry to push the image
       - name: Podman Login
-        uses: redhat-actions/podman-login@v1
+        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           registry: ${{ secrets.registry }}
           username: ${{ secrets.user }}
           password: ${{ secrets.password }}
 
       - name: Create and add to manifest
         run: |
-          buildah manifest create ${{ inputs.name }}
-          buildah manifest add ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-linux-amd64
-          buildah manifest add ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-linux-ppc64le
-          buildah manifest add ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-linux-arm64
-          buildah manifest add ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}-linux-s390x
+          buildah manifest create "${INPUT_NAME}"
+          buildah manifest add "${INPUT_NAME}" "${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}-linux-amd64"
+          buildah manifest add "${INPUT_NAME}" "${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}-linux-ppc64le"
+          buildah manifest add "${INPUT_NAME}" "${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}-linux-arm64"
+          buildah manifest add "${INPUT_NAME}" "${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}-linux-s390x"
+        env:
+          INPUT_NAME: ${{ inputs.name }}
+          INPUT_TAG: ${{ inputs.tag }}
 
       - name: Push manifest
         id: push-manifest
         run: |
-            podman manifest push --digestfile imagedigest ${{ inputs.name }} ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}  --all
-            echo "digest=$(cat imagedigest)" | tee -a $GITHUB_OUTPUT
+            podman manifest push --digestfile imagedigest "${INPUT_NAME}" "${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}" --all
+            echo "digest=$(cat imagedigest)" | tee -a "${GITHUB_OUTPUT}"
+        env:
+          INPUT_NAME: ${{ inputs.name }}
+          INPUT_TAG: ${{ inputs.tag }}
 
       - name: Sign the published manifest
         # only sign if release is published, not for ghactions branch push
         # which is used for testing and development.
         if: ${{ inputs.sign == true && github.event.release && github.event.action == 'published' }}
         run: |
-          cosign sign --yes --recursive ${{ secrets.registry }}/${{ inputs.name }}@${{ steps.push-manifest.outputs.digest }}
+          cosign sign --yes --recursive "${{ secrets.registry }}/${INPUT_NAME}@${DIGEST}"
+        env:
+          DIGEST: ${{ steps.push-manifest.outputs.digest }}
+          INPUT_NAME: ${{ inputs.name }}
 
       - name: Verify the image signature
         if: ${{ inputs.sign == true && github.event.release && github.event.action == 'published' }}
         run: |
           cosign verify \
-            --certificate-identity https://github.com/${{ github.repository }}/.github/workflows/build-multiarch.yml@refs/tags/${{ inputs.tag }} \
+            --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/build-multiarch.yml@refs/tags/${INPUT_TAG}" \
             --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-            ${{ secrets.registry }}/${{ inputs.name }}:${{ inputs.tag }}
+            "${{ secrets.registry }}/${INPUT_NAME}:${INPUT_TAG}"
+        env:
+          INPUT_NAME: ${{ inputs.name }}
+          INPUT_TAG: ${{ inputs.tag }}

.github/workflows/build-release.yml

@@ -12,23 +12,28 @@ env:
 
 jobs:
   build-release:
+    # TODO: Set explicit permissions for this job.
+    # zizmor: ignore[excessive-permissions]
     name: Build and push tag images
     strategy:
       matrix:
         architecture: [amd64,ppc64le,arm64,s390x]
         platform: [linux]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
+
     - name: Set Env Tags
-      run: echo RELEASE_TAG=$(echo $GITHUB_REF | cut -d '/' -f 3) >> $GITHUB_ENV
+      run: echo "RELEASE_TAG=$(echo "${GITHUB_REF}" | cut -d '/' -f 3)" >> "${GITHUB_ENV}"
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
     - name: Build Image
       id: build-image
-      uses: redhat-actions/buildah-build@v2
+      uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
       with:
         image: ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
         tags: ${{ env.RELEASE_TAG }}-${{ matrix.platform }}-${{ matrix.architecture }}
@@ -41,7 +46,7 @@ jobs:
 
     - name: Push Image
       id: push-image
-      uses: redhat-actions/push-to-registry@v2
+      uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
       with:
         image: ${{ env.IMAGE_NAME }}
         tags: ${{ env.RELEASE_TAG }}-${{ matrix.platform }}-${{ matrix.architecture }}
@@ -50,7 +55,9 @@ jobs:
         password: ${{ secrets.REGISTRY_PASSWORD }}
 
     - name: Print image url
-      run: echo "Image pushed to ${{ steps.push-image.outputs.registry-paths }}"
+      run: echo "Image pushed to ${REGISTRY_PATHS}"
+      env:
+        REGISTRY_PATHS: ${{ steps.push-image.outputs.registry-paths }}
 
     outputs:
       imageName: ${{ env.IMAGE_NAME }}
@@ -78,6 +85,8 @@ jobs:
       token: ${{ secrets.GITHUB_TOKEN }}
 
   extract-assets:
+    # TODO: Set explicit permissions for this job.
+    # zizmor: ignore[excessive-permissions]
     needs: build-release
     uses: ./.github/workflows/release-artifacts.yml
     with:
@@ -90,6 +99,8 @@ jobs:
       token: ${{ secrets.GITHUB_TOKEN }}
 
   add-release-info-to-pyxis:
+    # TODO: Set explicit permissions for this job.
+    # zizmor: ignore[excessive-permissions]
     needs: [build-release, extract-assets]
     uses: ./.github/workflows/add-release-info-to-pyxis.yml
     if: "!github.event.release.prerelease"
@@ -103,6 +114,8 @@ jobs:
       certificatePassword: ${{ secrets.PREFLIGHT_RELEASE_PASSWORD }}
 
   copy-to-rhisv:
+    # TODO: Set explicit permissions for this job.
+    # zizmor: ignore[excessive-permissions]
     needs: [build-release, build-multiarch]
     uses: ./.github/workflows/copy-to-rhisv.yml
     with:

.github/workflows/check-actions.yml

@@ -0,0 +1,28 @@
+name: Analyze GitHub Actions security
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  check-actions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run actionlint
+        uses: docker://rhysd/actionlint@sha256:96d4a8c87dbbfb3bdd324f8fdc285fc3df5261e2decc619a4dd7e8ee52bbfd46 # 1.7.8
+        with:
+          args: -color
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
+        with:
+          advanced-security: false

.github/workflows/code-review.yml

@@ -1,12 +1,18 @@
 name: Gemini AI Code Review
 
-on:
+# pull_request_target is needed to access the Gemini key and modify (set/remove labels, comment on)
+# the pull request.
+on: # zizmor: ignore[dangerous-triggers]
   pull_request_target:
     types: [opened, synchronize, reopened, labeled]
 
+# TODO: Assign permissions in individual jobs rather than at the
+# workflow level to avoid blindly handing out `pull-requests: write`
+# at the workflow level to all jobs (particularly if new jobs are
+# added in this workflow in the future).
 permissions:
   contents: read
-  pull-requests: write
+  pull-requests: write # zizmor: ignore[excessive-permissions]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
@@ -21,26 +27,30 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
       - name: Handle review label
         id: prep
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
+          LABEL_JSON: ${{ toJSON(github.event.pull_request.labels.*.name) }}
+          EVENT_ACTION: ${{ github.event.action }}
         run: |
-          HAS_LABEL=$(echo '${{ toJSON(github.event.pull_request.labels.*.name) }}' | jq 'any(. == "gemini-review")')
-          EVENT_ACTION="${{ github.event.action }}"
+          HAS_LABEL=$(jq -n 'env.LABEL_JSON | fromjson | any(. == "gemini-review")')
 
-          if [[ "$HAS_LABEL" == "true" && "$EVENT_ACTION" != "labeled" ]]; then
+          if [[ "${HAS_LABEL}" == "true" && "${EVENT_ACTION}" != "labeled" ]]; then
             echo "gemini-review label found on a '${EVENT_ACTION}' event. Removing label and skipping review."
-            gh pr edit "$PR_NUMBER" --remove-label "gemini-review"
-            echo "should_run_review=false" >> $GITHUB_OUTPUT
-          elif [[ "$HAS_LABEL" == "true" ]]; then
+            gh pr edit "${PR_NUMBER}" --remove-label "gemini-review"
+            echo "should_run_review=false" >> "${GITHUB_OUTPUT}"
+          elif [[ "${HAS_LABEL}" == "true" ]]; then
             echo "gemini-review label found. Proceeding with review."
-            echo "should_run_review=true" >> $GITHUB_OUTPUT
+            echo "should_run_review=true" >> "${GITHUB_OUTPUT}"
           else
             echo "gemini-review label not found. Skipping review."
-            echo "should_run_review=false" >> $GITHUB_OUTPUT
+            echo "should_run_review=false" >> "${GITHUB_OUTPUT}"
           fi
 
   gemini-code-review:
@@ -49,13 +59,14 @@ jobs:
     if: needs.handle-label.outputs.should_run_review == 'true'
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
+          persist-credentials: false
           fetch-depth: 0
 
       - name: Gemini AI Code Review
-        uses: sshnaidm/gemini-code-review-action@d4ccdaf0e2cad5cb79f80f6db07857c0e7fff28f
+        uses: sshnaidm/gemini-code-review-action@d4ccdaf0e2cad5cb79f80f6db07857c0e7fff28f # v1
         with:
           gemini-key: ${{ secrets.GEMINI_API_KEY }}
           model: 'gemini-2.5-flash'