fix: remediate latest zizmor findings

The current version of Zizmor finds some potential template injection
issues. We can fix these by indirecting via the `env`, or in one case by
adding an ignore comment where we can't really fix it.

Author: iainlane

.github/workflows/test-get-vault-secrets.yaml

@@ -67,10 +67,12 @@ jobs:
       - name: Check secret value is ${{ matrix.instance }}
         if: matrix.instance != 'invalid'
         run: |
-          if [[ "${{ env.INSTANCE }}" != "${{ matrix.instance }}" ]]; then
+          if [[ "${INSTANCE}" != "${{ matrix.instance }}" ]]; then
             echo "Test failed: secret value does not match vault_instance input"
             exit 1
           fi
+        env:
+          INSTANCE: ${{ env.INSTANCE }}
 
       - name: Ensure 'invalid' errored
         if: matrix.instance == 'invalid' && steps.test-vault-action.outcome != 'failure'

actions/build-push-to-dockerhub/README.md

@@ -3,10 +3,13 @@
 > [!NOTE]
 > If you are at Grafana Labs:
 >
-> - A docker mirror is available on our self-hosted runners, see [the internal documentation](https://enghub.grafana-ops.net/docs/default/component/deployment-tools/platform/continuous-integration/#docker-caching-in-github-actions) for more info.
+> - A docker mirror is available on our self-hosted runners, see [the internal
+>   documentation](https://enghub.grafana-ops.net/docs/default/component/deployment-tools/platform/continuous-integration/#docker-caching-in-github-actions)
+>   for more info.
 
-This is a composite GitHub Action, used to build Docker images and push them to DockerHub.
-It uses `get-vault-secrets` action to get the DockerHub username and password from Vault.
+This is a composite GitHub Action, used to build Docker images and push them to
+DockerHub. It uses `get-vault-secrets` action to get the DockerHub username and
+password from Vault.
 
 Example of how to use this action in a repository:
 
@@ -64,4 +67,8 @@ jobs:
 
 - If you specify `platforms` then the action will use buildx to build the image.
 - You must create a Dockerhub repo before you are able to push to it.
-- Most projects should be using Google Artifact Registry (instead of Dockerhub) to store their images. You can see more about that in the push-to-gar-docker shared workflow.
+- Most projects at Grafana Labs should be using Google Artifact Registry instead
+  of Dockerhub to store their images. You can see more about that in the
+  [push-to-gar-docker] shared workflow.
+
+[push-to-gar-docker]: ../push-to-gar-docker/README.md

actions/build-push-to-dockerhub/action.yaml

@@ -103,7 +103,16 @@ runs:
         images: ${{ inputs.repository }}
         tags: ${{ inputs.tags }}
 
-    - name: Build and push Docker image
+    # The `context` input is flagged by Zizmor as a [sink]. This means that with
+    # the upstream action the user's input to the input ends up in an output,
+    # and so if it's not handled properly, it could lead to a template injection
+    # attack. In this action, we pass through the inputs, but we don't then pass
+    # back the outputs, so we should be fine. Even if we did pass back the
+    # outputs, we consider ourselves a proxy, so in that case our job would be
+    # to warn users but not to take any action.
+    #
+    # [sink]: https://github.blog/security/application-security/how-to-secure-your-github-actions-workflows-with-codeql/#models
+    - name: Build and push Docker image # zizmor: ignore[template-injection]
       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
       with:
         context: ${{ inputs.context }}

actions/login-to-gcs/action.yaml

@@ -78,9 +78,11 @@ runs:
       if: ${{ inputs.delete_credentials_file == 'true' && env.GOOGLE_APPLICATION_CREDENTIALS != '' }}
       shell: sh
       run: |
-        if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
-          rm -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
+        if [ -f "${GOOGLE_APPLICATION_CREDENTIALS}" ]; then
+          rm -f "${GOOGLE_APPLICATION_CREDENTIALS}"
           echo "::notice::Successfully deleted credentials file"
         else
-          echo "::warning::Credentials file not found at ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
+          echo "::warning::Credentials file not found at ${GOOGLE_APPLICATION_CREDENTIALS}"
         fi
+      env:
+        GOOGLE_APPLICATION_CREDENTIALS: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}

actions/push-to-gar-docker/action.yaml

@@ -207,9 +207,11 @@ runs:
       if: ${{ inputs.delete_credentials_file == 'true' && env.GOOGLE_APPLICATION_CREDENTIALS != '' }}
       shell: sh
       run: |
-        if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
-          rm -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
+        if [ -f "${GOOGLE_APPLICATION_CREDENTIALS}" ]; then
+          rm -f "${GOOGLE_APPLICATION_CREDENTIALS}"
           echo "::notice::Successfully deleted credentials file"
         else
-          echo "::warning::Credentials file not found at ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
+          echo "::warning::Credentials file not found at ${GOOGLE_APPLICATION_CREDENTIALS}"
         fi
+      env:
+        GOOGLE_APPLICATION_CREDENTIALS: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}

actions/push-to-gcs/action.yaml

@@ -120,9 +120,11 @@ runs:
       if: ${{ inputs.delete_credentials_file == 'true' && env.GOOGLE_APPLICATION_CREDENTIALS != '' }}
       shell: sh
       run: |
-        if [ -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" ]; then
-          rm -f "${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
+        if [ -f "${GOOGLE_APPLICATION_CREDENTIALS}" ]; then
+          rm -f "${GOOGLE_APPLICATION_CREDENTIALS}"
           echo "::notice::Successfully deleted credentials file"
         else
-          echo "::warning::Credentials file not found at ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}"
+          echo "::warning::Credentials file not found at ${GOOGLE_APPLICATION_CREDENTIALS}"
         fi
+      env:
+        GOOGLE_APPLICATION_CREDENTIALS: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}