sec(GHA): Apply security best practices for GitHub Workflows

.github/workflows/_audit.yml

@@ -2,7 +2,7 @@ name: "Audit"
 
 on:
   workflow_call:
-    # No inputs needed at this time
+    # No secrets needed
 
 jobs:
   audit:

.github/workflows/_build-native-only.yml

@@ -2,7 +2,7 @@ name: "Build Native Only"
 
 on:
   workflow_call:
-    # No inputs needed at this time
+    # No secrets needed
 
 env:
   # https://gist.github.com/NodeJSmith/e7e37f2d3f162456869f015f842bcf15

.github/workflows/_codeql.yml

@@ -2,7 +2,7 @@ name: "CodeQL Analysis"
 
 on:
   workflow_call:
-    # No inputs needed at this time
+    # No secrets needed
 
 jobs:
   analyze:

.github/workflows/_docker-publish.yml

@@ -2,7 +2,11 @@ name: "Publish Docker Image"
 
 on:
   workflow_call:
-    # No inputs needed at this time
+    secrets:
+      DOCKER_USERNAME:
+        required: false
+      DOCKER_PASSWORD:
+        required: false
 
 jobs:
   docker_publish:

.github/workflows/_ketryx_report_and_check.yml

@@ -2,7 +2,11 @@ name: "Report build to Ketryx and check for approval"
 
 on:
   workflow_call:
-    # No inputs needed at this time
+    secrets:
+      KETRYX_PROJECT:
+        required: false
+      KETRYX_API_KEY:
+        required: false
 
 env:
   # https://gist.github.com/NodeJSmith/e7e37f2d3f162456869f015f842bcf15
@@ -35,7 +39,7 @@ jobs:
 
       - name: Report build to Ketryx and check for approval
         if: (!contains(github.event.head_commit.message, 'skip:ketryx'))
-        uses: Ketryx/ketryx-github-action@v1.4.0
+        uses: Ketryx/ketryx-github-action@40b13ef68c772e96e58ec01a81f5b216d7710186 # v1.4.0
         continue-on-error: true # TODO(Helmut): Remove post having Ketryx configured to inspect the main branch
         with:
           project: ${{ secrets.KETRYX_PROJECT }}

.github/workflows/_lint.yml

@@ -2,7 +2,7 @@ name: "Lint"
 
 on:
   workflow_call:
-    # No inputs needed at this time
+    # No secrets needed
 
 jobs:
   lint:

.github/workflows/_package-publish.yml

@@ -2,7 +2,13 @@ name: "Publish Package"
 
 on:
   workflow_call:
-    # No inputs needed at this time
+    secrets:
+      UV_PUBLISH_TOKEN:
+        required: false
+      SLACK_WEBHOOK_URL_RELEASE_ANNOUNCEMENT:
+        required: false
+      SLACK_CHANNEL_ID_RELEASE_ANNOUNCEMENT:
+        required: false
 
 env:
   # https://gist.github.com/NodeJSmith/e7e37f2d3f162456869f015f842bcf15
@@ -167,7 +173,11 @@ jobs:
 
       - name: Publish distribution to Python Package Index at pypi.org
         shell: bash
-        run: uv publish -t ${{ secrets.UV_PUBLISH_TOKEN }}
+        env:
+          UV_PUBLISH_TOKEN: ${{ secrets.UV_PUBLISH_TOKEN }}
+        run: |
+          # Use uv's credential storage - uv will read from UV_PUBLISH_TOKEN env var automatically
+          uv publish
 
       - name: Download test results for ubuntu-latest generated in _test.yml
         if: (!contains(github.event.head_commit.message, 'skip:test:all'))

.github/workflows/_scheduled-audit.yml

@@ -2,7 +2,15 @@ name: "Scheduled Audit"
 
 on:
   workflow_call:
-    # No inputs needed at this time
+    secrets:
+      AIGNOSTICS_CLIENT_ID_DEVICE:
+        required: false
+      AIGNOSTICS_REFRESH_TOKEN:
+        required: false
+      GCP_CREDENTIALS:
+        required: false
+      BETTERSTACK_AUDIT_HEARTBEAT_URL:
+        required: false
 
 jobs:
   audit-scheduled:
@@ -40,8 +48,10 @@ jobs:
 
       - name: Set up GCP credentials for bucket access
         shell: bash
+        env:
+          GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }}
         run: |
-          echo "${{ secrets.GCP_CREDENTIALS }}" | base64 -d > credentials.json
+          echo "$GCP_CREDENTIALS" | base64 -d > credentials.json
           echo "GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/credentials.json" >> $GITHUB_ENV
 
       - name: Audit

.github/workflows/_scheduled-test.yml

@@ -2,7 +2,15 @@ name: "Scheduled Test"
 
 on:
   workflow_call:
-    # No inputs needed at this time
+    secrets:
+      AIGNOSTICS_CLIENT_ID_DEVICE:
+        required: false
+      AIGNOSTICS_REFRESH_TOKEN:
+        required: false
+      GCP_CREDENTIALS:
+        required: false
+      BETTERSTACK_HEARTBEAT_URL:
+        required: false
 
 jobs:
   test-scheduled:
@@ -40,8 +48,10 @@ jobs:
 
       - name: Set up GCP credentials for bucket access
         shell: bash
+        env:
+          GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }}
         run: |
-          echo "${{ secrets.GCP_CREDENTIALS }}" | base64 -d > credentials.json
+          echo "$GCP_CREDENTIALS" | base64 -d > credentials.json
           echo "GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/credentials.json" >> $GITHUB_ENV
 
       - name: Test / scheduled

.github/workflows/_test.yml

@@ -2,7 +2,17 @@ name: "Test"
 
 on:
   workflow_call:
-    # No inputs needed at this time
+    secrets:
+      AIGNOSTICS_CLIENT_ID_DEVICE:
+        required: false
+      AIGNOSTICS_REFRESH_TOKEN:
+        required: false
+      GCP_CREDENTIALS:
+        required: false
+      CODECOV_TOKEN:
+        required: false
+      SONAR_TOKEN:
+        required: false
 
 env:
   # https://gist.github.com/NodeJSmith/e7e37f2d3f162456869f015f842bcf15
@@ -91,8 +101,10 @@ jobs:
 
       - name: Set up GCP credentials for bucket access
         shell: bash
+        env:
+          GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }}
         run: |
-          echo "${{ secrets.GCP_CREDENTIALS }}" | base64 -d > credentials.json
+          echo "$GCP_CREDENTIALS" | base64 -d > credentials.json
           echo "GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/credentials.json" >> $GITHUB_ENV
 
       - name: Validate installation

.github/workflows/audit-scheduled.yml

@@ -10,4 +10,8 @@ jobs:
     permissions:
       contents: read
       id-token: write
-    secrets: inherit
+    secrets:
+      AIGNOSTICS_CLIENT_ID_DEVICE: ${{ secrets.AIGNOSTICS_CLIENT_ID_DEVICE }}
+      AIGNOSTICS_REFRESH_TOKEN: ${{ secrets.AIGNOSTICS_REFRESH_TOKEN }}
+      GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }}
+      BETTERSTACK_AUDIT_HEARTBEAT_URL: ${{ secrets.BETTERSTACK_AUDIT_HEARTBEAT_URL }}

.github/workflows/build-native-only.yml

@@ -19,4 +19,3 @@ jobs:
       contents: write
       id-token: write
       packages: write
-    secrets: inherit

.github/workflows/ci-cd.yml

@@ -21,7 +21,6 @@ jobs:
       contents: read
       id-token: write
       packages: read
-    secrets: inherit
 
   audit:
     if: (!contains(github.event.head_commit.message, 'skip:ci')) && (!contains(github.event.head_commit.message, 'build:native:only'))
@@ -30,7 +29,6 @@ jobs:
       contents: read
       id-token: write
       packages: read
-    secrets: inherit
 
   test:
     if: (!contains(github.event.head_commit.message, 'skip:ci')) && (!contains(github.event.head_commit.message, 'build:native:only'))
@@ -40,7 +38,12 @@ jobs:
       contents: read
       id-token: write
       packages: write
-    secrets: inherit
+    secrets:
+      AIGNOSTICS_CLIENT_ID_DEVICE: ${{ secrets.AIGNOSTICS_CLIENT_ID_DEVICE }}
+      AIGNOSTICS_REFRESH_TOKEN: ${{ secrets.AIGNOSTICS_REFRESH_TOKEN }}
+      GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }}
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
 
   codeql:
@@ -51,7 +54,6 @@ jobs:
       contents: read
       packages: read
       security-events: write
-    secrets: inherit
 
 
   ketryx_report_and_check:
@@ -65,7 +67,9 @@ jobs:
       contents: write
       id-token: write
       packages: write
-    secrets: inherit
+    secrets:
+      KETRYX_PROJECT: ${{ secrets.KETRYX_PROJECT }}
+      KETRYX_API_KEY: ${{ secrets.KETRYX_API_KEY }}
 
   package_publish:
 
@@ -78,7 +82,10 @@ jobs:
       contents: write
       id-token: write
       packages: write
-    secrets: inherit
+    secrets:
+      UV_PUBLISH_TOKEN: ${{ secrets.UV_PUBLISH_TOKEN }}
+      SLACK_WEBHOOK_URL_RELEASE_ANNOUNCEMENT: ${{ secrets.SLACK_WEBHOOK_URL_RELEASE_ANNOUNCEMENT }}
+      SLACK_CHANNEL_ID_RELEASE_ANNOUNCEMENT: ${{ secrets.SLACK_CHANNEL_ID_RELEASE_ANNOUNCEMENT }}
 
   docker_publish:
 
@@ -91,4 +98,6 @@ jobs:
       contents: read
       id-token: write
       packages: write
-    secrets: inherit
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}

.github/workflows/codeql-scheduled.yml

@@ -12,4 +12,3 @@ jobs:
       contents: read
       packages: read
       security-events: write
-    secrets: inherit

.github/workflows/test-scheduled.yml

@@ -10,4 +10,8 @@ jobs:
     permissions:
       contents: read
       id-token: write
-    secrets: inherit
+    secrets:
+      AIGNOSTICS_CLIENT_ID_DEVICE: ${{ secrets.AIGNOSTICS_CLIENT_ID_DEVICE }}
+      AIGNOSTICS_REFRESH_TOKEN: ${{ secrets.AIGNOSTICS_REFRESH_TOKEN }}
+      GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }}
+      BETTERSTACK_HEARTBEAT_URL: ${{ secrets.BETTERSTACK_HEARTBEAT_URL }}

tests/aignostics/wsi/service_test.py

@@ -186,7 +186,7 @@ def test_serve_tiff_to_jpeg(user: User, silent_logging) -> None:
     assert image.height > 0
 
 
-def test_serve_tiff_to_jpeg_fails_on_broken_tiff(user: User, tmpdir) -> None:
+def test_serve_tiff_to_jpeg_fails_on_broken_tiff(user: User, tmpdir, silent_logging) -> None:
     """Test that the tiff route falls back as expected on broken tiff.
 
     - Spin up local webserver serving 4711 random bytes