Skip to content

fix(ci): harden workflows against injection#337

Open
LuisUrrutia wants to merge 1 commit intomainfrom
fix/harden-ci-workflows
Open

fix(ci): harden workflows against injection#337
LuisUrrutia wants to merge 1 commit intomainfrom
fix/harden-ci-workflows

Conversation

@LuisUrrutia
Copy link
Contributor

@LuisUrrutia LuisUrrutia commented Feb 6, 2026

Summary

  • Extract repeated token-resolution logic into a reusable auth-token composite action
  • Fix expression injection vulnerabilities by passing secrets/contexts through env vars instead of inline ${{ }} in run: blocks
  • Add concurrency groups, bump pinned action versions, apply least-privilege permissions, and quote shell variables

Test plan

  • Verify CI workflows pass on this PR (lint, test, coverage, export-testing)
  • Confirm auth-token composite action resolves tokens correctly for base-repo and fork PRs
  • Validate that concurrency groups cancel redundant runs as expected

@LuisUrrutia
fix(ci): harden workflows against injection
bf0b646 
Extract token resolution into reusable auth-token composite
action to eliminate ${{ }} interpolation in run blocks across
8 workflows.

- Add concurrency groups to PR workflows
- Fix cancel-in-progress on production deployment
- Unify harden-runner to v2.13.0 across all workflows
- Add missing version comments for pinned action SHAs
- Fix staging Docker build race condition (needs: publish-rc)
- Remove continue-on-error on CI tests
- Switch update-dependencies to use app token
- Bump pnpm/action-setup, setup-buildx, sbom-action, setup-node
@LuisUrrutia LuisUrrutia requested a review from a team as a code owner February 6, 2026 12:11
tirumerla
tirumerla approved these changes Feb 6, 2026
View reviewed changes
Copy link
Contributor

@tirumerla tirumerla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, lgtm

.github/actions/prepare/action.yml
with:
token: ${{ inputs.token }}
persist-credentials: true
fetch-depth: ${{ inputs.fetch-depth }}
Copy link
Contributor

@tirumerla tirumerla Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can probably remove whole checkout action here, since we are already fetching full history from checkout in the parent workflow. Lets avoiding duplicating checkouts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tirumerla tirumerla tirumerla approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LuisUrrutia @tirumerla