chore(ci): gh action hardening

.github/actions/setup/action.yml

@@ -11,21 +11,21 @@ runs:
 
     - name: Restore Bun toolchain cache
       id: bun-toolchain-cache
-      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: /opt/hostedtoolcache/bun
         key: bun-toolchain-${{ runner.os }}-${{ runner.arch }}-${{ env.BUN_VERSION }}
 
     - name: Install Bun
       id: install-bun
-      uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+      uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
       continue-on-error: true
       with:
         bun-version: ${{ env.BUN_VERSION }}
 
     - name: Install Bun (fallback with retries)
       if: steps.install-bun.outcome == 'failure'
-      uses: nick-fields/retry@v3
+      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
       with:
         timeout_minutes: 3
         max_attempts: 5
@@ -39,7 +39,7 @@ runs:
       run: bun --version
 
     - name: Install Node.js
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
       with:
           node-version-file: .nvmrc
           package-manager-cache: false
@@ -49,7 +49,7 @@ runs:
       run: npm install --global --force corepack && corepack enable
 
     - name: Configure dependency cache
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
       with:
         cache: pnpm
 

.github/dependabot.yml

@@ -9,6 +9,8 @@ updates:
       actions-major:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "gomod"
     directories:
       - "/"
@@ -23,6 +25,8 @@ updates:
           - patch
         exclude-patterns:
           - github.com/compose-spec/compose-go/v2
+    cooldown:
+      default-days: 7
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
@@ -32,6 +36,8 @@ updates:
       npm-major:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "docker"
     directory: "/apps/cli-go/pkg/config/templates"
     schedule:
@@ -49,3 +55,5 @@ updates:
       - dependency-name: "axllent/mailpit"
       - dependency-name: "darthsim/imgproxy"
       - dependency-name: "timberio/vector"
+    cooldown:
+      default-days: 7

.github/workflows/automerge.yml

@@ -4,15 +4,14 @@ name: Dependabot auto-merge
 on: pull_request
 
 permissions:
-  pull-requests: write
-  contents: write
+  contents: read
 
 jobs:
   dependabot:
     runs-on: ubuntu-latest
     # Checking the actor will prevent your Action run failing on non-Dependabot
     # PRs but also ensures that it only does work for Dependabot PRs.
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
     steps:
       # This first step will fail if there's no metadata and so the approval
       # will not occur.
@@ -27,20 +26,24 @@ jobs:
         if: ${{ steps.meta.outputs.update-type == null || steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }}
         uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
-          app-id: ${{ secrets.APP_ID }}
+          client-id: ${{ vars.GH_APP_CLIENT_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          permission-pull-requests: write
+          permission-contents: write
 
       # Here the PR gets approved.
       - name: Approve a PR
         if: ${{ steps.meta.outputs.update-type == null || steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }}
-        run: gh pr review --approve "${{ github.event.pull_request.html_url }}"
+        run: gh pr review --approve "${GITHUB_EVENT_PULL_REQUEST_HTML_URL}"
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_EVENT_PULL_REQUEST_HTML_URL: ${{ github.event.pull_request.html_url }}
 
       # Finally, this sets the PR to allow auto-merging for patch and minor
       # updates if all checks pass
       - name: Enable auto-merge for Dependabot PRs
         if: ${{ steps.meta.outputs.update-type == null || steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }}
-        run: gh pr merge --auto --squash "${{ github.event.pull_request.html_url }}"
+        run: gh pr merge --auto --squash "${GITHUB_EVENT_PULL_REQUEST_HTML_URL}"
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_EVENT_PULL_REQUEST_HTML_URL: ${{ github.event.pull_request.html_url }}

.github/workflows/cli-go-api-sync.yml

@@ -5,16 +5,18 @@ on:
     types:
       - api-sync
   workflow_dispatch: # allow manual triggering
+
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   sync:
     name: Sync API Types
     runs-on: blacksmith-2vcpu-ubuntu-2404
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
@@ -39,8 +41,10 @@ jobs:
         id: app-token
         uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
-          app-id: ${{ secrets.APP_ID }}
+          client-id: ${{ vars.GH_APP_CLIENT_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          permission-pull-requests: write
+          permission-contents: write
 
       - name: Create Pull Request
         if: steps.check.outputs.has_changes == 'true'
@@ -60,15 +64,17 @@ jobs:
       - name: Approve a PR
         if: steps.check.outputs.has_changes == 'true' && steps.cpr.outputs.pull-request-operation == 'created'
         continue-on-error: true
-        run: gh pr review --approve --repo "${{ github.repository }}" "${{ steps.cpr.outputs.pull-request-number }}"
+        run: gh pr review --approve --repo "${{ github.repository }}" "${STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER}"
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
 
       - name: Enable Pull Request Automerge
         if: steps.check.outputs.has_changes == 'true'
-        run: gh pr merge --auto --squash --repo "${{ github.repository }}" "${{ steps.cpr.outputs.pull-request-number }}"
+        run: gh pr merge --auto --squash --repo "${{ github.repository }}" "${STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER}"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
 defaults:
   run:
     working-directory: apps/cli-go

.github/workflows/cli-go-ci.yml

@@ -22,6 +22,8 @@ jobs:
     runs-on: blacksmith-8vcpu-ubuntu-2404
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
@@ -59,6 +61,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
@@ -78,6 +82,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: apps/cli-go/go.mod
@@ -102,6 +108,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: apps/cli-go/go.mod
@@ -117,6 +125,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:

.github/workflows/cli-go-codeql.yml

@@ -64,6 +64,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/cli-go-mirror-image.yml

@@ -9,6 +9,9 @@ on:
       image:
         required: true
         type: string
+    secrets:
+      PROD_AWS_ROLE:
+        required: true
   workflow_dispatch:
     inputs:
       image:
@@ -26,8 +29,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: strip
+        env:
+          TAG: ${{ github.event.client_payload.image || inputs.image }}
         run: |
-          TAG=${{ github.event.client_payload.image || inputs.image }}
           echo "image=${TAG##*/}" >> $GITHUB_OUTPUT
       - name: configure aws credentials
         uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0

.github/workflows/cli-go-mirror.yml

@@ -28,6 +28,8 @@ jobs:
       curr: ${{ steps.curr.outputs.tags }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: apps/cli-go/go.mod
@@ -55,10 +57,11 @@ jobs:
       matrix:
         src: ${{ fromJson(needs.setup.outputs.tags) }}
     # Call workflow explicitly because events from actions cannot trigger more actions
-    uses: ./.github/workflows/mirror-image.yml
+    uses: ./.github/workflows/cli-go-mirror-image.yml
     with:
       image: ${{ matrix.src }}
-    secrets: inherit
+    secrets:
+      PROD_AWS_ROLE: ${{ secrets.PROD_AWS_ROLE }}
 defaults:
   run:
     working-directory: apps/cli-go

.github/workflows/cli-go-pg-prove.yml

@@ -86,10 +86,11 @@ jobs:
       - settings
       - merge_manifest
     # Call workflow explicitly because events from actions cannot trigger more actions
-    uses: ./.github/workflows/mirror-image.yml
+    uses: ./.github/workflows/cli-go-mirror-image.yml
     with:
       image: ${{ needs.settings.outputs.image_tag }}
-    secrets: inherit
+    secrets:
+      PROD_AWS_ROLE: ${{ secrets.PROD_AWS_ROLE }}
 defaults:
   run:
     working-directory: apps/cli-go

.github/workflows/cli-go-publish-migra.yml

@@ -86,10 +86,11 @@ jobs:
       - settings
       - merge_manifest
     # Call workflow explicitly because events from actions cannot trigger more actions
-    uses: ./.github/workflows/mirror-image.yml
+    uses: ./.github/workflows/cli-go-mirror-image.yml
     with:
       image: ${{ needs.settings.outputs.image_tag }}
-    secrets: inherit
+    secrets:
+      PROD_AWS_ROLE: ${{ secrets.PROD_AWS_ROLE }}
 defaults:
   run:
     working-directory: apps/cli-go

.github/workflows/cli-go-tag-pkg.yml

@@ -22,10 +22,11 @@ jobs:
         with:
           ref: develop
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Create and push pkg tag
         run: |
-          VERSION="${{ inputs.version }}"
+          VERSION="${INPUTS_VERSION}"
           if ! [[ "$VERSION" =~ ^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)$ ]]; then
             echo "Error: version '$VERSION' does not match semver format (e.g. v1.2.2)"
             exit 1
@@ -37,6 +38,8 @@ jobs:
           fi
           git tag "$TAG"
           git push origin "$TAG"
+        env:
+          INPUTS_VERSION: ${{ inputs.version }}
 defaults:
   run:
     working-directory: apps/cli-go

.github/workflows/deploy.yml

@@ -7,8 +7,7 @@ on:
   workflow_dispatch:
 
 permissions:
-  pull-requests: write
-  contents: write
+  contents: read
 
 jobs:
   deploy:
@@ -17,11 +16,15 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
       - id: app-token
         uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
-          app-id: ${{ secrets.APP_ID }}
+          client-id: ${{ vars.GH_APP_CLIENT_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
+
       - run: "gh pr create -B main -H develop --title 'chore: production deploy' --label 'do not merge' --fill"
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}