fix: various actions workflow security improvements (#17651)

* fix: set persist-credentials explicitly for checkout https://woodruffw.github.io/zizmor/audits/#artipacked * fix: minimize permissions scope for workflows https://woodruffw.github.io/zizmor/audits/#excessive-permissions * fix: remove potential template injections https://woodruffw.github.io/zizmor/audits/#template-injection * fix: only pass needed secrets in workflow_call https://woodruffw.github.io/zizmor/audits/#secrets-inherit * fix: push perm for single-arch build jobs I hadn't realised these push to the registry too :x * chore: fix formatting * fix: $ * fix: retag job quoting --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
2025-12-24 17:24:56 +03:00 · 2025-04-18 22:10:27 +02:00
parent 0e6ac87645
commit 504930947d
18 changed files with 269 additions and 63 deletions
--- a/.github/workflows/cli.yml
+++ b/.github/workflows/cli.yml
@@ -16,19 +16,23 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions:
-  packages: write
+permissions: {}

 jobs:
  publish:
    name: CLI Publish
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    defaults:
      run:
        working-directory: ./cli

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
      # Setup .npmrc file to publish to npm
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
@@ -48,11 +52,16 @@ jobs:
  docker:
    name: Docker
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
    needs: publish

    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false

      - name: Set up QEMU
        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0