[pkl.impl.ghactions] Add validation to prevent template injection vectors (#71)

HT154 · web-flow · commit 5cb714a96030 · 2026-03-02T14:52:21.000-08:00
diff --git a/.github/PklProject.deps.json b/.github/PklProject.deps.json
@@ -10,7 +10,7 @@
     },
     "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1": {
       "type": "local",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.4.0",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.5.0",
       "path": "../packages/pkl.impl.ghactions"
     },
     "package://pkg.pkl-lang.org/pkl-pantry/pkl.experimental.deepToTyped@1": {
diff --git a/packages/pkl.impl.ghactions/PklCI.pkl b/packages/pkl.impl.ghactions/PklCI.pkl
@@ -17,6 +17,8 @@ module pkl.impl.ghactions.PklCI
 
 import "@com.github.actions/actions/checkout/v6/Checkout.pkl"
 import "@com.github.actions/context.pkl"
+import "@com.github.actions/Job.pkl"
+import "@com.github.actions/Step.pkl"
 import "@com.github.actions/Workflow.pkl"
 import "@com.github.dependabot/v2/Dependabot.pkl"
 import "@pkl.github.dependabotManagedActions/DependabotManagedActions.pkl"
@@ -54,7 +56,7 @@ catalog: Catalog
 ///   * [Workflow.concurrency]
 ///
 /// This turns into a workflow called "Pull Request".
-prb: Workflow
+prb: Workflow(isValid)
 
 /// The workflow to run for commits that land on the main branch.
 ///
@@ -65,7 +67,7 @@ prb: Workflow
 ///   * [Workflow.concurrency]
 ///
 /// This turns into a workflow called "Build (main)".
-main: Workflow
+main: Workflow(isValid)
 
 /// The workflow to run for commits that land on all branches except for `main` and `release/*`
 ///
@@ -76,7 +78,7 @@ main: Workflow
 ///   * [Workflow.concurrency]
 ///
 /// This turns into a workflow called "Build".
-build: Workflow
+build: Workflow(isValid)
 
 /// The workflow that runs when tags are pushed.
 ///
@@ -87,7 +89,7 @@ build: Workflow
 ///   * [Workflow.concurrency]
 ///
 /// This turns into a workflow called "Release".
-release: Workflow?
+release: Workflow(isValid)?
 
 /// Tag glob patterns to ignore for releases
 releaseIgnoreTags: Listing<String>?
@@ -101,7 +103,7 @@ releaseIgnoreTags: Listing<String>?
 ///   * [Workflow.concurrency]
 ///
 /// This turns into a workflow called "Build (release branch)".
-releaseBranch: Workflow?
+releaseBranch: Workflow(isValid)?
 
 /// Test reports produced by [build] and [release].
 ///
@@ -133,7 +135,7 @@ triggerDocsBuild: "none" | "release" | "both" = "none"
 triggerPackageDocsBuild: "none" | "main" | "release" = "none"
 
 /// Any additional workflows beyond the built-in ones (prb, build, release, etc)
-workflows: Mapping<String, Workflow>
+workflows: Mapping<String, Workflow(isValid)>
 
 /// Any additional dependabot configuration beyond GitHub Actions
 dependabot: Dependabot
@@ -332,14 +334,14 @@ local testReportWorkflow: Workflow = new {
             ["path"] = "artifacts"
             ["name"] = "test-results-.*"
             ["name_is_regexp"] = true
-            ["run_id"] = "${{ github.event.workflow_run.id }}"
+            ["run_id"] = context.github.event("workflow_run.id")
           }
         }
         new PublishUnitTestResult {
           name = "Publish test results"
           with {
-            commit = "${{ github.event.workflow_run.head_sha }}"
-            event_name = "${{ github.event.workflow_run.event }}"
+            commit = context.github.event("workflow_run.head_sha")
+            event_name = context.github.event("workflow_run.event")
             event_file = "artifacts/\(TEST_RESULT_EVENT_FILE_ARTIFACT_NAME)/event.json"
             file_patterns { "artifacts/**/*.xml" }
             comment_mode = "off"
@@ -485,6 +487,38 @@ local withPublishTestResults: Mixin<Workflow.Jobs> = (it) ->
           }
         }
 
+/// Validate a Workflow; for use as a type constraint.
+///
+/// Validations
+/// * Steps must not contain known template injection vectors.
+hidden const isValid: (Workflow) -> Boolean = (workflow) ->
+  let (
+    errors =
+      workflow.jobs
+        .toMap()
+        .entries
+        .flatMap((job) ->
+          if (job.value is Job)
+            job.value.steps
+              .toList()
+              .flatMapIndexed((stepIndex, step) ->
+                if (step is Step && step.run != null && step.run.contains("${{"))
+                  // there are other actions that have fields susceptible to template injection
+                  // but we don't use them
+                  // the zizmor project has a great tool for identifying these: https://github.com/zizmorcore/zizmor/blob/main/support/codeql-injection-sinks.py
+                  // and a few manually maintained entries: https://github.com/zizmorcore/zizmor/blob/cdc816b480a895144197fab903efc819810aca17/crates/zizmor/src/audit/template_injection.rs#L59-L74
+                  List(
+                    "[job:\(job.key) step:\(stepIndex) field:run] Potential template injection, use expressions via `env` instead"
+                  )
+                else
+                  List()
+              )
+          else
+            List()
+        )
+  )
+    if (errors.isEmpty) true else throw("Invalid workflow:\n\(errors.join("\n"))")
+
 local function withTriggerWorkflows(triggerType: String): Mixin<Workflow.Jobs> = (it) -> (it) {
   when (
     triggerType == triggerDocsBuild
@@ -514,14 +548,16 @@ local function withTriggerWorkflows(triggerType: String): Mixin<Workflow.Jobs> =
           new {
             name = "Trigger pkl-lang.org build"
             env {
-              ["GH_TOKEN"] = "${{ steps.app-token.outputs.token }}"
+              ["GH_TOKEN"] = context.steps.outputs("app-token", "token")
+              ["SOURCE_RUN"] =
+                "\(context.github.serverUrl)/\(context.github.repository)/actions/runs/\(context.github.runId)"
             }
             run =
               #"""
               gh workflow run \
                 --repo apple/pkl-lang.org \
                 --ref main \
-                --field source_run="\#(context.github.serverUrl)/\#(context.github.repository)/actions/runs/\#(context.github.runId)" \
+                --field source_run="${SOURCE_RUN}" \
                 main.yml
               """#
           }
@@ -530,14 +566,16 @@ local function withTriggerWorkflows(triggerType: String): Mixin<Workflow.Jobs> =
           new {
             name = "Trigger pkl-package-docs build"
             env {
-              ["GH_TOKEN"] = "${{ steps.app-token.outputs.token }}"
+              ["GH_TOKEN"] = context.steps.outputs("app-token", "token")
+              ["SOURCE_RUN"] =
+                "\(context.github.serverUrl)/\(context.github.repository)/actions/runs/\(context.github.runId)"
             }
             run =
               #"""
               gh workflow run \
                 --repo apple/pkl-package-docs \
                 --ref main \
-                --field source_run="\#(context.github.serverUrl)/\#(context.github.repository)/actions/runs/\#(context.github.runId)" \
+                --field source_run="${SOURCE_RUN}" \
                 main.yml
               """#
           }
diff --git a/packages/pkl.impl.ghactions/PklProject b/packages/pkl.impl.ghactions/PklProject
@@ -17,7 +17,7 @@
 amends "../basePklProject.pkl"
 
 package {
-  version = "1.4.0"
+  version = "1.5.0"
 }
 
 dependencies {
diff --git a/packages/pkl.impl.ghactions/tests/validation.pkl b/packages/pkl.impl.ghactions/tests/validation.pkl
@@ -0,0 +1,38 @@
+//===----------------------------------------------------------------------===//
+// Copyright © 2026 Apple Inc. and the Pkl project authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//===----------------------------------------------------------------------===//
+amends "pkl:test"
+
+import "@com.github.actions/context.pkl"
+import "@com.github.actions/Workflow.pkl"
+
+import "../PklCI.pkl"
+
+examples {
+  ["template injection"] {
+    module.catch(() ->
+      PklCI.isValid.apply(new Workflow {
+        jobs {
+          ["foo"] {
+            `runs-on` = "ubuntu-latest"
+            steps {
+              new { run = "echo \(context.github.refName)" }
+            }
+          }
+        }
+      })
+    )
+  }
+}
diff --git a/packages/pkl.impl.ghactions/tests/validation.pkl-expected.pcf b/packages/pkl.impl.ghactions/tests/validation.pkl-expected.pcf
@@ -0,0 +1,5 @@
+examples {
+  ["template injection"] {
+    "Invalid workflow: [job:foo step:0 field:run] Potential template injection, use expressions via `env` instead"
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@`
`17`	`17`	`amends "../basePklProject.pkl"`
`18`	`18`
`19`	`19`	`package {`
`20`		`- version = "1.4.0"`
	`20`	`+ version = "1.5.0"`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`dependencies {`