Skip to content

fix(ci): harden workflows against injection#337

Closed
LuisUrrutia wants to merge 1 commit into
mainfrom
fix/harden-ci-workflows
Closed

fix(ci): harden workflows against injection#337
LuisUrrutia wants to merge 1 commit into
mainfrom
fix/harden-ci-workflows

Conversation

@LuisUrrutia
Copy link
Copy Markdown
Contributor

@LuisUrrutia LuisUrrutia commented Feb 6, 2026

Summary

  • Extract repeated token-resolution logic into a reusable auth-token composite action
  • Fix expression injection vulnerabilities by passing secrets/contexts through env vars instead of inline ${{ }} in run: blocks
  • Add concurrency groups, bump pinned action versions, apply least-privilege permissions, and quote shell variables

Test plan

  • Verify CI workflows pass on this PR (lint, test, coverage, export-testing)
  • Confirm auth-token composite action resolves tokens correctly for base-repo and fork PRs
  • Validate that concurrency groups cancel redundant runs as expected

@LuisUrrutia
fix(ci): harden workflows against injection
bf0b646 
Extract token resolution into reusable auth-token composite
action to eliminate ${{ }} interpolation in run blocks across
8 workflows.

- Add concurrency groups to PR workflows
- Fix cancel-in-progress on production deployment
- Unify harden-runner to v2.13.0 across all workflows
- Add missing version comments for pinned action SHAs
- Fix staging Docker build race condition (needs: publish-rc)
- Remove continue-on-error on CI tests
- Switch update-dependencies to use app token
- Bump pnpm/action-setup, setup-buildx, sbom-action, setup-node
@LuisUrrutia LuisUrrutia requested a review from a team as a code owner February 6, 2026 12:11
tirumerla
tirumerla approved these changes Feb 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@tirumerla tirumerla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, lgtm

Comment thread .github/actions/prepare/action.yml
with:
token: ${{ inputs.token }}
persist-credentials: true
fetch-depth: ${{ inputs.fetch-depth }}
Copy link
Copy Markdown
Contributor

@tirumerla tirumerla Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can probably remove whole checkout action here, since we are already fetching full history from checkout in the parent workflow. Lets avoiding duplicating checkouts.

@pasevin pasevin mentioned this pull request May 20, 2026
Merged
3 tasks
pasevin added a commit that referenced this pull request May 20, 2026
@pasevin @claude
fix(ci): drop redundant checkout from prepare composite
26510ea 
The prepare composite was doing a second checkout on top of the one
each workflow already runs. Removes it (and the now-unused token input)
and drops the auth-token resolution from workflows that only needed it
to feed prepare. update-dependencies keeps auth-token since it still
feeds peter-evans/create-pull-request.

Addresses review feedback on #337.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@pasevin
Copy link
Copy Markdown
Collaborator

pasevin commented May 20, 2026

Superseded by #391, which is a fresh port against current main (the original branch diverged after #373 removed the publish/update-versions workflows). Thanks @LuisUrrutia for the original work — the hardening pattern lives on in #391.

@pasevin pasevin closed this May 20, 2026
pasevin added a commit that referenced this pull request May 20, 2026
@pasevin @claude
fix(ci): harden workflows against script injection (#391)
22a4e16 
* fix(ci): harden workflows against script injection

Extract repeated token-resolution boilerplate into a reusable
auth-token composite action and eliminate ${{ }} interpolation
inside run: blocks across workflows.

- Add .github/actions/auth-token composite for fork-aware token resolution
- Pass NPM_TOKEN and matrix values through env vars in run: blocks
- Add concurrency groups to PR workflows
- Set cancel-in-progress: false on production deployment
- Unify harden-runner to v2.13.0
- Bump pnpm/action-setup to v4.2.0 and setup-node to v4.4.0
- Bump docker/setup-buildx-action to v3.12.0
- Drop continue-on-error on CI test step
- Use app token (instead of GITHUB_TOKEN) in update-dependencies

Supersedes #337, which had diverged from main after #373 removed
publish.yml, update-versions.yml, and the publish-rc job in docker-stg.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(ci): drop redundant checkout from prepare composite

The prepare composite was doing a second checkout on top of the one
each workflow already runs. Removes it (and the now-unused token input)
and drops the auth-token resolution from workflows that only needed it
to feed prepare. update-dependencies keeps auth-token since it still
feeds peter-evans/create-pull-request.

Addresses review feedback on #337.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* revert(ci): leave e2e-export step body unchanged

Matrix values aren't user-controllable, so the CHAIN env-var refactor
is out of scope for the hardening PR. Restore the run line and step
name to match main.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tirumerla tirumerla tirumerla approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LuisUrrutia @pasevin @tirumerla